SB2017101082 - Multiple vulnerabilities in PHP
Published: October 10, 2017 Updated: June 8, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Input validation error (CVE-ID: CVE-2001-0108)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
PHP Apache module 4.0.4 and earlier allows remote attackers to bypass .htaccess access restrictions via a malformed HTTP request on an unrestricted page that causes PHP to use those access controls on the next page that is requested.
2) Input validation error (CVE-ID: CVE-2001-1385)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
The Apache module for PHP 4.0.0 through PHP 4.0.4, when disabled with the 'engine = off' option for a virtual host, may disable PHP for other virtual hosts, which could cause Apache to serve the source code of PHP scripts.
Remediation
Install update from vendor's website.
References
- http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000373
- http://marc.info/?l=bugtraq&m=97957961212852
- http://www.debian.org/security/2001/dsa-020
- http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-013.php3
- http://www.redhat.com/support/errata/RHSA-2000-136.html
- http://www.securityfocus.com/bid/2206
- https://exchange.xforce.ibmcloud.com/vulnerabilities/5940
- http://www.iss.net/security_center/static/5939.php
- http://www.securityfocus.com/bid/2205