Debian Security Advisory DSA 020-1 (php4)

The remote host is missing an update to php4 announced via advisory DSA 020-1.
The Zend people have found a vulnerability in older versions of PHP4 (the original advisory speaks of 4.0.4 while the bugs are present in 4.0.3 as well). It is possible to specify PHP directives on a per-directory basis which leads to a remote attacker crafting an HTTP request that would cause the next page to be served with the wrong values for these directives. Also even if PHP is installed, it can be activated and deactivated on a per-directory or per-virtual host basis using the 'engine=on' or 'engine=off' directive. This setting can be leaked to other virtual hosts on the same machine, effectively disabling PHP for those hosts and resulting in PHP source code being sent to the client instead of being executed on the server. We recommend you upgrade your php4 packages.