[MacPorts] #38452: PHP code disclosure vulnerability with apache2 and other web servers (was: Apache on HFS Critical Security Issue)

Bradley Giesbrecht pixilla at macports.org
Thu Mar 21 08:29:38 PDT 2013


On Mar 20, 2013, at 12:34 PM, MacPorts wrote:

> #38452: PHP code disclosure vulnerability with apache2 and other web servers
> 
> I am able to reproduce the issue with MacPorts apache2 @2.2.4 and
> php55-apache2handler @5.5.0alpha6, and also with lighttpd @1.4.32 and
> php55-fcgi @5.5.0alpha6. I have not tested other web servers or PHP
> versions. I need to see upstream apache / lighttpd / php bug reports to
> determine what we should do to fix it.



Macport Trac appears to be offline.


If you have mod_rewrite available this appears to work around the problem for me:
...
RewriteCond %{SCRIPT_FILENAME} .+\.p.+hp$ [NC]
RewriteRule ^(.*)$ http://%{HTTP_HOST} [L,QSA]
...


I came up with this myself and the testing is very limited. I'm not that proficient with mod_rewrite rules, does someone have a better match then ".+\.p.+hp$"?


Regards,
Bradley Giesbrecht (pixilla)



More information about the macports-dev mailing list