thr3ads.net - Secure testing team - [Secure-testing-team] Bug#587536: phpldapadmin: ships Apache configuration setting PHP register

If this information is useful, please help other people find it:
Share via:

Thijs Kinkhorst

2010-Jun-29 15:14 UTC

[Secure-testing-team] Bug#587536: phpldapadmin: ships Apache configuration setting PHP register_globals On

Package: phpldapadmin
Version: 1.2.0.5-1
Severity: serious
Tags: security
Justification: requiring rg on not supported by security team

Hi,

The file debian/conf/apache.conf sets PHP''s register_globals setting to
On:

        php_flag register_globals On

The Debian Security Team does not support configurations that require this
dangerous setting to be on. For the record, the setting has defaulted to
off in PHP since years and has been deprecated by PHP upstream.

I cannot find a requirement in the upstream documentation that this
setting needs to be on, so probably it can just be removed from the
shipped config file.


Cheers,
Thijs

-- System Information:
Debian Release: 5.0.5
  APT prefers stable
  APT policy: (500, ''stable'')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=nl_NL.UTF-8, LC_CTYPE=nl_NL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Secure testing team - Jun 2010 - Bug#587536: phpldapadmin: ships Apache configuration setting PHP register_globals On

[Secure-testing-team] Bug#587536: phpldapadmin: ships Apache configuration setting PHP register_globals On