php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #18582 Default page download, not shown
Submitted: 2002-07-25 22:54 UTC Modified: 2002-10-15 01:00 UTC
Votes:7
Avg. Score:3.7 ± 1.2
Reproduced:5 of 5 (100.0%)
Same Version:2 (40.0%)
Same OS:1 (20.0%)
From: ctenedor at yahoo dot com Assigned:
Status: No Feedback Package: Apache related
PHP Version: 4.2.2 OS: freebsd
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2002-07-25 22:54 UTC] ctenedor at yahoo dot com
Recently updated cause the vulnerability, I'm using PHP 4.2.2. In certain conditions (with some internet providers) when someone try to access the root of a directory (for example, www.myserver.com/pages/) and the default document is index.php, instead of execute script and show the result, appears the browser's download dialog, in explorer 5.x,, 6.x, Mozilla 1.x and Netscape 4.x, and part or complete script is downloaded when clicking "OK". Using another connection of a different provider, the page shows ok. In both cases (different providers), using /pages/index.php is ok, and works normal. I don't upgrade or modify apache, or apache conf. I'm using my old php ini (upgraded from 4.1.? to 4.2.2), the same configure line, etc. 

The page is www.mimorelia.com/foros/ . If you type instead www.mimorelia.com/foros/index.php, the page shows normal. I insist, some internet providers shows ok, others no, maybe using proxys or nat for provide internet. (cable providers)

Thanks

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-07-25 23:35 UTC] rverlander@php.net
Umm well I'd **think**  that thats a problem with thier browsers, have you tried adding:

DirectoryIndex index.php index.html index.htm

To .htaccess.
 [2002-07-26 06:19 UTC] sniper@php.net
Apache version? configure line for PHP ?
PHP as module/cgi? 
 [2002-07-26 10:05 UTC] ctenedor at yahoo dot com
'./configure' '--with-mysql' '--with-imap' '--with-xml' '--enable-dbase' '--enable-sockets' '--enable-safe-mode' '--with-apxs=/usr/local/apache/bin/apxs' '--with-gd=/usr/local/' '--with-jpeg-dir=/usr/local/' '--with-png-dir=/usr/local/' '--with-zlib-dir=/usr/local/'

Apache/1.3.22

PHP as module

The site was working ok, we were using urls like 'directory/' and no 'directory/index.xxx' (php, htm,html), and it worked ok, including the connections using the internet providers that now show the error. Now, when updated 4.2.2, 'directory/ like' links doesn't work and sometimes show crucial information, as confs path's, and the script code.

Please explain how using .htaccess can fix it, in apache.conf I'm using

<IfModule mod_dir.c>
    DirectoryIndex index.php index.html default.htm default.php default.html index.htm
</IfModule>

If I use .htaccess it means that I will have to create a .htaccess for every directory of my site? Using .htaccess is common for me, but for tasks as restricting access or hidden some files.
 [2002-07-26 16:19 UTC] Marc dot Wallman at ndsu dot nodak dot edu
I've had the same problem described here. 
The config of my server is:
   OS: Red Hat 7.3
   Arch: Intel 32bit
   PHP: 4.2.2 (DSO)
   Apache: 1.3.26
   PHP Configure line:
   './configure' '--prefix=/usr/local/php' 
   '--with-apxs=/usr/local/apache/bin/apxs' '--with-openssl'
   '--with-pcre-regex' '--with-mysql' '--with-pgsql' 
   '--with-ldap' '--with-zlib' '--enable-calendar' 
   '--with-java=/usr/java/j2sdk1.4.0_01' '--enable-wddx' 
   '--with-bz2' '--enable-ctype' '--with-curl' 
   '--with-cybercash' '--with-db' '--with-dom'
   '--enable-exif' '--with-gd' '--with-gettext' 
   '--with-hyperwave' '--with-iconv' '--with-imap' 
   '--with-yaz' '--with-xmlrpc' 
   '--with-kerberos=/usr/kerberos' 
   '--with-pear=/usr/local/php/pear'
   '--with-imap-ssl'

Interestingly, it happens with Mozilla 1.0 under linux and does not happen with the version of Konqueror that comes with KDE 3.0.

If I choose to download the URL (e.g. http://www.mydomain.com/stuff/) with mozilla I get the 
PHP source! This leads me to believe it is bug in PHP.
My apache config does not contain the x-httpd-php-source AddType directive.
 [2002-07-29 06:02 UTC] pjc51 at hermes dot cam dot ac dot uk
I'm experiencing the same problem on GNU/Linux with PHP 4.1.2 (From Debian Woody) and Apache 1.3.26. It seems that unprocessed PHP is being served in the following situation:

1. References to the directory name rather than the index.php file in the get request.
2. Access is through a proxy server.

Also:

(3. I have a hunch that it may be connected with PHP session cookies, although I don't really have any evidence other than the fact that the page I've experienced this on makes heavy use of them)

I should also add that as PHP scripts can potentially contain (eg) plain text database passwords, this is potentially a security issue.

I shall investigate this evening when I have a little more time and try and work out exactly what is going wrong.
 [2002-09-29 20:57 UTC] sniper@php.net
Please try using this CVS snapshot:

  http://snaps.php.net/php4-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php4-win32-latest.zip


 [2002-10-15 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over 2 weeks, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 [2008-04-16 06:41 UTC] gurpreet_satnam at hotmail dot com
Testing
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Sun May 19 06:01:26 2019 UTC