On Mar 20, 2013, at 12:34 PM, MacPorts wrote:
#38452: PHP code disclosure vulnerability with apache2 and other web servers
I am able to reproduce the issue with MacPorts apache2 @2.2.4 and php55-apache2handler @5.5.0alpha6, and also with lighttpd @1.4.32 and php55-fcgi @5.5.0alpha6. I have not tested other web servers or PHP versions. I need to see upstream apache / lighttpd / php bug reports to determine what we should do to fix it.
Macport Trac appears to be offline. If you have mod_rewrite available this appears to work around the problem for me: ... RewriteCond %{SCRIPT_FILENAME} .+\.p.+hp$ [NC] RewriteRule ^(.*)$ http://%{HTTP_HOST} [L,QSA] ... I came up with this myself and the testing is very limited. I'm not that proficient with mod_rewrite rules, does someone have a better match then ".+\.p.+hp$"? Regards, Bradley Giesbrecht (pixilla)