package: apache2 version: 2.2.14-4 tags: security Hey Apache,
Small ( 4 line patch ) is needed on /etc/apache2/mods-available/php5.conf all that is required is a change from AddType application/x-httpd-php .php to <FilesMatch \.php$> SetHandler application/x-httpd-php </FilesMatch> the issue lies in the fact that AddType 'suggests' to the HTTP clients what to do with .php files, instead of forcing the server to parse it. This causes the server to hand out the PHP file because it depends on the client to ask nicely. This behavior, and work-around is outlined clearly here [1]. This can be considered a security risk, it is common to have passwords and other sensitive data in the php script. All the best, Paul Tagliamonte [1]: http://wiki.apache.org/httpd/DebianPHP -- #define sizeof(x) rand() :wq -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
