PHP .htaccess Attribute Transfer Vulnerability

PHP the Personal Home Page software package distributed and maintained by the PHP Development Team. PHP provides enhanced attributes and added functionality to web pages.

A problem with the PHP package could allow for unauthorized access to restricted resources. The problem is specifically in the Apache Module of the PHP package, and affects the package only when running in combination with Apache Webserver. Per directory access control is done via the .htaccess file. However, by generating a custom crafted request, it is possible to force PHP to serve the next page with the same access control attributes as the previous accessed page. This problem could allow a malicious user to access restricted information in an intelligence gathering attack.


Privacy Statement
Copyright 2010, SecurityFocus