ID: 19113
Comment by: [EMAIL PROTECTED]
Reported By: [EMAIL PROTECTED]
Status: Open
Bug Type: Apache related
Operating System: any
PHP Version: 4.3.0
New Comment:
It *is* severe because when I see in apache access_log a message like
this:
24.153.155.146 - - [22/Jan/2003:01:25:48 +0300] "CONNECT
maildelivery.somewhere:25 HTTP/1.0" 200 44623 "-" "-"
it is threatening enough for me to put away what I was doing and start
staring at my httpd.conf. And that only takes 3-4 hours to just find
this bug-report and make myself comfortable about this new "PHP
feature".
Previous Comments:
------------------------------------------------------------------------
[2003-01-19 04:57:37] [EMAIL PROTECTED]
Well can you tell me why it is "severe"?
Okay it is maybe not correct that it reacts on any string
but basicly why should it not react on
TINTE / HTTP/1.0
This could be a valid request if the server has loaded
mod_tinte v1.0 or whatever. If you dislike the feature
you can always check for a valid ("from your point of
view") request method from within your scripts.
------------------------------------------------------------------------
[2003-01-18 20:33:41] [EMAIL PROTECTED]
This problem seems more severe than reported here, at least in 4.1.3
with Apache 1.3.26 shipped with Debian GNU/Linux 3.0.1: If mod_php4 is
enabled, any (!) string (try "foobar\n\n" instead of "GET /
HTTP/1.0\n\n") will return the home page from $DOCUMENT_ROOT/index.php.
If we comment out the LoadModule directive for mod_php4, the server
returns correctly "501 method not implemented".
Interestingly we couldn't reproduce it on an Apache 1.3.26 with PHP
4.2.2, but this may be because of the tested virtual host is not the
first one in the httpd.conf.
We noticed this while trying to figure out why the Apache answered to
requests like "\xe3P" (probably trying to exploit some bugs in some
webserver) with "200 OK" instead of "501 method not implemented".
An example:
With mod_php4:
> telnet our_host 80
Trying ###.###.###.###...
Connected to our_host.
Escape character is '^]'.
\xe3P
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>
<TITLE>our_host home page</TITLE>
</HEAD>
[...]
Without mod_php4:
> telnet our_host 80
Trying ###.###.###.###...
Connected to our_host.
Escape character is '^]'.
\xe3P
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>501 Method Not Implemented</TITLE>
</HEAD><BODY>
<H1>Method Not Implemented</H1>
\xe3P to /index.php not supported.<P>
Invalid method in request \\xe3P<P>
<HR>
<ADDRESS>Apache/1.3.26 Server at our_host Port 80</ADDRESS>
</BODY></HTML>
Connection closed by foreign host.
Maybe also interessting: A very long string (e.g. 80.000 characters)
correctly leads to an error "414 Request-URI Too Large", equal if
mod_php4 is loaded or not.
This looks like mod_php4 handles any possible request method, which is
passed to it. Is this really the wanted behaviour? Why should PHP
change Apache's behaviour in such cases?
------------------------------------------------------------------------
[2003-01-05 07:41:37] [EMAIL PROTECTED]
Verified in Apache 1.3.27/Linux/PHP 4.3.0
------------------------------------------------------------------------
[2003-01-04 16:48:32] [EMAIL PROTECTED]
Yes; [EMAIL PROTECTED] is correct. My previous comment ("bug possibly
fixed") was in haste.
The problem still exists in 4.3.0. Please, someone in the PHP crew
investigate this fully, as it's becoming more and more of an issue and
seems to be affecting essentially everyone who uses PHP and Apache.
------------------------------------------------------------------------
[2003-01-03 23:39:16] [EMAIL PROTECTED]
Problem still exists in PHP 4.3.0, i'm running Apache 1.3.27 on
FreeBSD.
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/19113
--
Edit this bug report at http://bugs.php.net/?id=19113&edit=1
