Debian Bug report logs -
#317577
libapache-mod-php4: php_value specified in within a virtualhost-section may spread to other v-hosts
Reported by: Carsten Wolff <carsten@wolffcarsten.de>
Date: Sat, 9 Jul 2005 20:18:04 UTC
Severity: important
Tags: moreinfo, unreproducible
Merged with 330419
Done: Ondřej Surý <ondrej@sury.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Adam Conrad <adconrad@0c3.net>:
Bug#317577; Package libapache-mod-php4.
(full text, mbox, link).
Acknowledgement sent to Carsten Wolff <carsten@wolffcarsten.de>:
New Bug report received and forwarded. Copy sent to Adam Conrad <adconrad@0c3.net>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: libapache-mod-php4
Version: 4:4.3.10-15
Severity: grave
Tags: security
Justification: user security hole
In my sarge installation I experience problems, that are at least
related to this upstream bugreport:
http://bugs.php.net/bug.php?id=25753
This (closed) report states, that the problem is fixed by a 3-line patch. That
code is in the 4.3.10-15 package, but still mod_php shows the same behaviour
under some circumstances:
I have several virtualhosts on my system. Some of them I had configured
to use phpbb2 from debian. For that the phpbb2-package suggests to load
per-virtualhost configurations by adding a "php_value auto_prepend_file"
directive to the respective virtualhost-section. So I did:
<VirtualHost 123.123.123.123:80>
ServerName v1.xyz.ab
DocumentRoot /usr/share/phpbb2/site
php_value auto_prepend_file /etc/phpbb2/v1.xyz.ab.php
</VirtualHost>
<VirtualHost 123.123.123.123:80>
ServerName v2.xyz.ab
DocumentRoot /usr/share/phpbb2/site
php_value auto_prepend_file /etc/phpbb2/v2.xyz.ab.php
</VirtualHost>
Now when I open v1.xyz.ab in a browser, it will randomly load either
configuration, depending on which child-process answers the request. if
I add a phpinfo(); at the right place, I can even see, that
"auto_prepend_file" sporadically has the (wrong) value
"/etc/phpbb2/v2.xyz.ab.php".
The upstram bugreport states, this would have only occured before their
bugfix, when a php-source-file had the "x" flag set. Of course the
source from phpbb2 has 644 rights and appearently, there are still some
other situations, where the bug occurs.
This bug is at least annoying, preventing the use of per-virtualhost
configuration. It can even be dangerous, if f.e. base-dir restrictions
are applied to the wrong virtualhosts, so that users gain access to data
of other users.
For more Information, f.e. for help reproducing the error, please feel
free to ask.
Cheers
Carsten
-- System Information:
Debian Release: 3.1
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.11.7
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages libapache-mod-php4 depends on:
ii apache-common 1.3.33-6 support files for all Apache webse
ii debconf [debconf-2.0] 1.4.30.13 Debian configuration management sy
ii libbz2-1.0 1.0.2-7 high-quality block-sorting file co
ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries an
ii libcomerr2 1.37-2sarge1 common error description library
ii libdb4.2 4.2.52-18 Berkeley v4.2 Database Libraries [
ii libexpat1 1.95.8-3 XML parsing C library - runtime li
ii libkrb53 1.3.6-2 MIT Kerberos runtime libraries
ii libmagic1 4.12-1 File type determination library us
ii libpcre3 4.5-1.2 Perl 5 Compatible Regular Expressi
ii libssl0.9.7 0.9.7e-3 SSL shared libraries
ii libzzip-0-12 0.12.83-4 library providing read access on Z
ii mime-support 3.28-1 MIME files 'mime.types' & 'mailcap
ii php4-common 4:4.3.10-15 Common files for packages built fr
ii zlib1g 1:1.2.2-4.sarge.1 compression library - runtime
-- debconf information:
php4/update_apache_php_ini: true
Information forwarded to debian-bugs-dist@lists.debian.org, Adam Conrad <adconrad@0c3.net>:
Bug#317577; Package libapache-mod-php4.
(full text, mbox, link).
Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. Copy sent to Adam Conrad <adconrad@0c3.net>.
(full text, mbox, link).
Message #10 received at 317577@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
tags 317577 unreproducible moreinfo
thanks
On Sat, Jul 09, 2005 at 10:03:58PM +0200, Carsten Wolff wrote:
> I have several virtualhosts on my system. Some of them I had configured
> to use phpbb2 from debian. For that the phpbb2-package suggests to load
> per-virtualhost configurations by adding a "php_value auto_prepend_file"
> directive to the respective virtualhost-section. So I did:
> <VirtualHost 123.123.123.123:80>
> ServerName v1.xyz.ab
> DocumentRoot /usr/share/phpbb2/site
> php_value auto_prepend_file /etc/phpbb2/v1.xyz.ab.php
> </VirtualHost>
> <VirtualHost 123.123.123.123:80>
> ServerName v2.xyz.ab
> DocumentRoot /usr/share/phpbb2/site
> php_value auto_prepend_file /etc/phpbb2/v2.xyz.ab.php
> </VirtualHost>
> Now when I open v1.xyz.ab in a browser, it will randomly load either
> configuration, depending on which child-process answers the request. if
> I add a phpinfo(); at the right place, I can even see, that
> "auto_prepend_file" sporadically has the (wrong) value
> "/etc/phpbb2/v2.xyz.ab.php".
This bug is 100% unreproducible for me here. Are you sure
"123.123.123.123:80" is configured as a NameVirtualHost? Do the
"auto_prepend_file" values from phpinfo() match the "SERVER_NAME" values?
--
Steve Langasek
postmodern programmer
[signature.asc (application/pgp-signature, inline)]
Tags added: unreproducible, moreinfo
Request was from Steve Langasek <vorlon@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Adam Conrad <adconrad@0c3.net>:
Bug#317577; Package libapache-mod-php4.
(full text, mbox, link).
Acknowledgement sent to Carsten Wolff <carsten@wolffcarsten.de>:
Extra info received and forwarded to list. Copy sent to Adam Conrad <adconrad@0c3.net>.
(full text, mbox, link).
Message #17 received at 317577@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Sunday 10 July 2005 11:08, Steve Langasek wrote:
> This bug is 100% unreproducible for me here. Are you sure
> "123.123.123.123:80" is configured as a NameVirtualHost? Do the
> "auto_prepend_file" values from phpinfo() match the "SERVER_NAME" values?
Yes I'm sure, I have about 50 (sub-)domains on that server configured through
NameVirtualHost and so far everything worked fine. Interestingly enough, only
the phpbb2-VirtualHosts (which are the only ones f.e. sharing the same
DocumentRoot) seem to be effected by the bug, i.e. the php_(admin)_values
only "leak" between them, other domains are not effected. It ssems, that the
fact, that they have some things in common play a role here.
auto_prepend_file is not the only value that shows this behavior, it's
actually every php_(admin)_value|flag.
The SERVER_NAME in phpinfo() is always correct, in fact I used it to work
around auto_prepend_file and include configs depending on
$_SERVER['SERVER_NAME'].
I can either send you more Info like URLs and configs in private mail, if you
want to see for yourself, or if you're on IRC we can debug it together. I'm
currently in #debian as wolffc.
[Message part 2 (application/pgp-signature, inline)]
Severity set to `important'.
Request was from Adam Conrad <adconrad@0c3.net>
to control@bugs.debian.org.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#317577; Package libapache-mod-php4.
(full text, mbox, link).
Acknowledgement sent to Lucas Nussbaum <lucas@lucas-nussbaum.net>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>.
(full text, mbox, link).
Message #30 received at 317577@bugs.debian.org (full text, mbox, reply):
reassign 301824 libapache2-mod-php5
reassign 330419 libapache2-mod-php5
reassign 317577 libapache2-mod-php5
reassign 321460 libapache2-mod-php5
reassign 319398 libapache2-mod-php5
reassign 419714 libapache2-mod-php5
thanks
The libapache-mod-php4 package has been removed from Debian testing, unstable and
experimental. I am reassigning its bugs to the libapache2-mod-php5 package. Please
have a look at them, and close them if they don't apply to
libapache2-mod-php5 anymore.
Don't hesitate to reply to this mail if you have any question.
--
Lucas
Tags removed: security
Request was from Thijs Kinkhorst <thijs@debian.org>
to control@bugs.debian.org.
(Wed, 07 May 2008 10:24:03 GMT) (full text, mbox, link).
Reply sent
to Ondřej Surý <ondrej@sury.org>:
You have taken responsibility.
(Fri, 08 Jan 2010 15:24:05 GMT) (full text, mbox, link).
Notification sent
to Carsten Wolff <carsten@wolffcarsten.de>:
Bug acknowledged by developer.
(Fri, 08 Jan 2010 15:24:05 GMT) (full text, mbox, link).
Message #41 received at 317577-done@bugs.debian.org (full text, mbox, reply):
--
Ondřej Surý <ondrej@sury.org>
http://blog.rfc1925.org/
Reply sent
to Ondřej Surý <ondrej@sury.org>:
You have taken responsibility.
(Fri, 08 Jan 2010 15:24:06 GMT) (full text, mbox, link).
Notification sent
to Marek Drápal <drapal@email.cz>:
Bug acknowledged by developer.
(Fri, 08 Jan 2010 15:24:06 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 06 Feb 2010 07:28:49 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sun Jul 2 03:06:08 2023;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.