Date: 25 Jul 2002 12:45:31 -0000 From: Chris Shenton <chris@Shenton.Org> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/40979: mod_php security fix breaks PHP 4.2.2: variables not passed Message-ID: <20020725124531.9692.qmail@Thanatos.Shenton.Org>
next in thread | raw e-mail | index | archive | help
>Number: 40979 >Category: ports >Synopsis: mod_php security fix breaks PHP 4.2.2: variables not passed >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-ports >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Jul 25 05:50:01 PDT 2002 >Closed-Date: >Last-Modified: >Originator: Chris Shenton >Release: FreeBSD 4.6-STABLE i386 >Organization: >Environment: System: FreeBSD thanatos.shenton.org 4.6-STABLE FreeBSD 4.6-STABLE #12: Wed Jul 3 11:08:15 EDT 2002 chris@thanatos.shenton.org:/usr/obj/usr/src/sys/Thanatos i386 >Description: PHP passes variable from a form via HTTP GET (in URL) or POST variables (in HTTP body). The PHP form processor never sees those variables. This broke when I upgraded to the security fix for mod_php 4.2.2. >How-To-Repeat: A simple form, form.html: <form action="form-vars.php"> <input name="var1" value="ThisIsVar1"> <input name="var2" value="ThisIsVar2"> <input type="submit"> </form> A simple form processor, form-vars.php <?php echo "<BR>argc=$argc argv0=$argv[0] argv1=$argv[1] argv2=$argv[2]"; echo "<BR>var1=$var1 var2=$var2"; echo "<HR>"; phpinfo(); ?> Point web browser at form, hit SUBMIT, see output: argc= argv0= argv1= argv2= var1= var2= It doesn't even have a count for variables. >Fix: Unknown. >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020725124531.9692.qmail>