PHP :: Bug #18582 :: Default page download, not shown

Bug #18582

Default page download, not shown

Submitted:

2002-07-25 22:54 UTC

Modified:

2002-10-15 01:00 UTC

Votes:	7
Avg. Score:	3.7 ± 1.2
Reproduced:	5 of 5 (100.0%)
Same Version:	2 (40.0%)
Same OS:	1 (20.0%)

From:

ctenedor at yahoo dot com

Assigned:

Status:

No Feedback

Package:

Apache related

PHP Version:

4.2.2

OS:

freebsd

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	ctenedor at yahoo dot com
New email:
PHP Version:		OS:

New Comment:

[2002-07-25 22:54 UTC] ctenedor at yahoo dot com

Recently updated cause the vulnerability, I'm using PHP 4.2.2. In certain conditions (with some internet providers) when someone try to access the root of a directory (for example, www.myserver.com/pages/) and the default document is index.php, instead of execute script and show the result, appears the browser's download dialog, in explorer 5.x,, 6.x, Mozilla 1.x and Netscape 4.x, and part or complete script is downloaded when clicking "OK". Using another connection of a different provider, the page shows ok. In both cases (different providers), using /pages/index.php is ok, and works normal. I don't upgrade or modify apache, or apache conf. I'm using my old php ini (upgraded from 4.1.? to 4.2.2), the same configure line, etc. 

The page is www.mimorelia.com/foros/ . If you type instead www.mimorelia.com/foros/index.php, the page shows normal. I insist, some internet providers shows ok, others no, maybe using proxys or nat for provide internet. (cable providers)

Thanks

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2002-07-25 23:35 UTC] rverlander@php.net

Umm well I'd **think**  that thats a problem with thier browsers, have you tried adding:

DirectoryIndex index.php index.html index.htm

To .htaccess.

[2002-07-26 06:19 UTC] sniper@php.net

Apache version? configure line for PHP ?
PHP as module/cgi?

[2002-07-26 10:05 UTC] ctenedor at yahoo dot com

'./configure' '--with-mysql' '--with-imap' '--with-xml' '--enable-dbase' '--enable-sockets' '--enable-safe-mode' '--with-apxs=/usr/local/apache/bin/apxs' '--with-gd=/usr/local/' '--with-jpeg-dir=/usr/local/' '--with-png-dir=/usr/local/' '--with-zlib-dir=/usr/local/'

Apache/1.3.22

PHP as module

The site was working ok, we were using urls like 'directory/' and no 'directory/index.xxx' (php, htm,html), and it worked ok, including the connections using the internet providers that now show the error. Now, when updated 4.2.2, 'directory/ like' links doesn't work and sometimes show crucial information, as confs path's, and the script code.

Please explain how using .htaccess can fix it, in apache.conf I'm using

<IfModule mod_dir.c>
    DirectoryIndex index.php index.html default.htm default.php default.html index.htm
</IfModule>

If I use .htaccess it means that I will have to create a .htaccess for every directory of my site? Using .htaccess is common for me, but for tasks as restricting access or hidden some files.

[2002-07-26 16:19 UTC] Marc dot Wallman at ndsu dot nodak dot edu

I've had the same problem described here. 
The config of my server is:
   OS: Red Hat 7.3
   Arch: Intel 32bit
   PHP: 4.2.2 (DSO)
   Apache: 1.3.26
   PHP Configure line:
   './configure' '--prefix=/usr/local/php' 
   '--with-apxs=/usr/local/apache/bin/apxs' '--with-openssl'
   '--with-pcre-regex' '--with-mysql' '--with-pgsql' 
   '--with-ldap' '--with-zlib' '--enable-calendar' 
   '--with-java=/usr/java/j2sdk1.4.0_01' '--enable-wddx' 
   '--with-bz2' '--enable-ctype' '--with-curl' 
   '--with-cybercash' '--with-db' '--with-dom'
   '--enable-exif' '--with-gd' '--with-gettext' 
   '--with-hyperwave' '--with-iconv' '--with-imap' 
   '--with-yaz' '--with-xmlrpc' 
   '--with-kerberos=/usr/kerberos' 
   '--with-pear=/usr/local/php/pear'
   '--with-imap-ssl'

Interestingly, it happens with Mozilla 1.0 under linux and does not happen with the version of Konqueror that comes with KDE 3.0.

If I choose to download the URL (e.g. http://www.mydomain.com/stuff/) with mozilla I get the 
PHP source! This leads me to believe it is bug in PHP.
My apache config does not contain the x-httpd-php-source AddType directive.

[2002-07-29 06:02 UTC] pjc51 at hermes dot cam dot ac dot uk

I'm experiencing the same problem on GNU/Linux with PHP 4.1.2 (From Debian Woody) and Apache 1.3.26. It seems that unprocessed PHP is being served in the following situation:

1. References to the directory name rather than the index.php file in the get request.
2. Access is through a proxy server.

Also:

(3. I have a hunch that it may be connected with PHP session cookies, although I don't really have any evidence other than the fact that the page I've experienced this on makes heavy use of them)

I should also add that as PHP scripts can potentially contain (eg) plain text database passwords, this is potentially a security issue.

I shall investigate this evening when I have a little more time and try and work out exactly what is going wrong.

[2002-09-29 20:57 UTC] sniper@php.net

Please try using this CVS snapshot:

  http://snaps.php.net/php4-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php4-win32-latest.zip

[2002-10-15 01:00 UTC] php-bugs at lists dot php dot net

No feedback was provided for this bug for over 2 weeks, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".

[2008-04-16 06:41 UTC] gurpreet_satnam at hotmail dot com

Testing

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Dec 21 15:01:29 2024 UTC