Acknowledgement sent to thorben <thorben@gawab.com>:
New Bug report received and forwarded. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>.
(full text, mbox, link).
Package: libapache2-mod-php4
Version: 4.3.10-15
same bug like described in version 5.0.4
http://bugs.php.net/bug.php?id=32937
if somebody has a directory structure like this:
/srv/user1
/srv/user2
.
.
.
/srv/user10
/srv/user11
user1 can access the files of user10 and user12 vi PHP although
open_basedir is set
I talked to a PHP developer, for him it is fixed.
I am using debian sarge with no other patches / backports etc.
this bug is possibly in all php versions, I also found it in 4.4.0 on
gentoo linux
greetings
thorben
Reply sent to Adam Conrad <adconrad@0c3.net>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to thorben <thorben@gawab.com>:
Bug acknowledged by developer.
(full text, mbox, link).
thorben wrote:
>
> if somebody has a directory structure like this:
> /srv/user1
> /srv/user2
> .
> .
> .
> /srv/user10
> /srv/user11
>
> user1 can access the files of user10 and user12 vi PHP although
> open_basedir is set
Are you using a trailing slash on your open_basedir directives? From
the PHP manual:
> The restriction specified with open_basedir is actually a prefix, not
> a directory name. This means that "open_basedir = /dir/incl" also
> allows access to "/dir/include" and "/dir/incls" if they exist. When
> you want to restrict access to only the specified directory, end with
> a slash. For example: "open_basedir = /dir/incl/"
... Adam
Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>: Bug#323585; Package libapache2-mod-php4.
(full text, mbox, link).
Acknowledgement sent to thorben <thorben@gawab.com>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>.
(full text, mbox, link).
sry for bothering you again, but why is it closed?
the "yes I used it,..." from further mail meant that i used the
tailing "/" as described by the php manual and you (sry for
misunderstandings)
my configuration is:
<virtualhost...>
...
php_admin_value open_basedir /var/www/user1/
...
</virtualhost>
greets
thorben
> This is an automatic notification regarding your Bug report
> #323585: libapache2-mod-php4 - open_basedir bug - security,
> which was filed against the libapache2-mod-php4 package.
> It has been closed by one of the developers, namely
> Adam Conrad <adconrad@0c3.net>.
> Their explanation is attached below. If this explanation is
> unsatisfactory and you have not received a better one in a separate
> message then please contact the developer, by replying to this email.
> Debian bug tracking system administrator
> (administrator, Debian Bugs database)
> Received: (at 323585-done) by bugs.debian.org; 17 Aug 2005 13:44:59 +0000
> From adconrad@0c3.net Wed Aug 17 06:44:59 2005
> Return-path: <adconrad@0c3.net>
> Received: from loki.0c3.net [69.0.240.48]
> by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
> id 1E5ODz-0005Am-00; Wed, 17 Aug 2005 06:44:59 -0700
> Received: from [203.49.196.168] (helo=[10.0.0.4])
> by loki.0c3.net with esmtp (Exim 4.34)
> id 1E5ODO-0005qC-OC; Wed, 17 Aug 2005 07:44:23 -0600
> Message-ID: <43033F2E.1080002@0c3.net>
> Date: Wed, 17 Aug 2005 23:44:14 +1000
> From: Adam Conrad <adconrad@0c3.net>
> User-Agent: Mozilla Thunderbird 1.0.6 (X11/20050809)
> X-Accept-Language: en-us, en
> MIME-Version: 1.0
> To: thorben <thorben@gawab.com>, 323585-done@bugs.debian.org
> Subject: Re: [php-maint] Bug#323585: libapache2-mod-php4 - open_basedir bug
> - security
> References: <1123638061.20050817141509@gawab.com>
> In-Reply-To: <1123638061.20050817141509@gawab.com>
> X-Enigmail-Version: 0.92.0.0
> Content-Type: text/plain; charset=ISO-8859-1
> Content-Transfer-Encoding: 7bit
> Delivered-To: 323585-done@bugs.debian.org
> X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
> (1.212-2003-09-23-exp) on spohr.debian.org
> X-Spam-Level:
> X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
> autolearn=no version=2.60-bugs.debian.org_2005_01_02
> thorben wrote:
>>
>> if somebody has a directory structure like this:
>> /srv/user1
>> /srv/user2
>> .
>> .
>> .
>> /srv/user10
>> /srv/user11
>>
>> user1 can access the files of user10 and user12 vi PHP although
>> open_basedir is set
> Are you using a trailing slash on your open_basedir directives? From
> the PHP manual:
>> The restriction specified with open_basedir is actually a prefix, not
>> a directory name. This means that "open_basedir = /dir/incl" also
>> allows access to "/dir/include" and "/dir/incls" if they exist. When
>> you want to restrict access to only the specified directory, end with
>> a slash. For example: "open_basedir = /dir/incl/"
> ... Adam
Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>: Bug#323585; Package libapache2-mod-php4.
(full text, mbox, link).
Acknowledgement sent to Adam Conrad <adconrad@0c3.net>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>.
(full text, mbox, link).
reopen 323585
kthxbye
thorben wrote:
> hi,
> yes I used it, sry for not writing that
Hrm, okay. On further investigation, you are right, the trailing slash
seems to do no good whatsoever. Fun. Reopening the bug.
... Adam
Bug reopened, originator not changed.
Request was from Adam Conrad <adconrad@0c3.net>
to control@bugs.debian.org.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>: Bug#323585; Package libapache2-mod-php4.
(full text, mbox, link).
Acknowledgement sent to Adam Conrad <adconrad@0c3.net>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>.
(full text, mbox, link).
thorben wrote:
> sry for bothering you again, but why is it closed?
Time delay, that's all. It was already reopened by the time you got the
close message. :)
... Adam
Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>: Bug#323585; Package libapache2-mod-php4.
(full text, mbox, link).
Acknowledgement sent to Adam Conrad <adconrad@0c3.net>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>.
(full text, mbox, link).
Alright, I've hunted this down to a small thinko in
main/fopen_wrappers.c Attached is a patch against php5 (applies cleanly
to php4 as well, with a minor offset). A Debian security release for
this should happen reasonably soon, but you're free to recompile with
this patch, should you want it fixed ASAP.
... Adam
--- fopen_wrappers.c.old 2005-07-16 12:14:44.000000000 +0000
+++ fopen_wrappers.c 2005-09-26 09:07:55.000000000 +0000
@@ -109,8 +109,8 @@
/* Handler for basedirs that end with a / */
resolved_basedir_len = strlen(resolved_basedir);
if (basedir[strlen(basedir) - 1] == PHP_DIR_SEPARATOR) {
- if (resolved_basedir[resolved_basedir_len - 1] == '/') {
- resolved_basedir[resolved_basedir_len - 1] = PHP_DIR_SEPARATOR;
+ if (resolved_basedir[resolved_basedir_len - 1] != PHP_DIR_SEPARATOR) {
+ resolved_basedir[resolved_basedir_len] = PHP_DIR_SEPARATOR;
resolved_basedir[++resolved_basedir_len] = '\0';
}
}
Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>: Bug#323585; Package libapache2-mod-php4.
(full text, mbox, link).
Acknowledgement sent to Martin Pitt <martin.pitt@ubuntu.com>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>.
(full text, mbox, link).
Hi!
I requested a CVE number for this:
======================================================
Candidate: CAN-2005-3054
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3054
fopen_wrappers.c in PHP 4.4.0, and possibly other versions, does not
properly restrict access to other directories when the open_basedir
directive includes a trailing slash, which allows PHP scripts in one
directory to access files in other directories whose names are
substrings of the original directory.
--
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntulinux.org
Debian Developer http://www.debian.org
Source: php4
Source-Version: 4:4.4.0-3
We believe that the bug you reported is fixed in the latest version of
php4, which is due to be installed in the Debian FTP archive:
libapache-mod-php4_4.4.0-3_i386.deb
to pool/main/p/php4/libapache-mod-php4_4.4.0-3_i386.deb
libapache2-mod-php4_4.4.0-3_i386.deb
to pool/main/p/php4/libapache2-mod-php4_4.4.0-3_i386.deb
php4-cgi_4.4.0-3_i386.deb
to pool/main/p/php4/php4-cgi_4.4.0-3_i386.deb
php4-cli_4.4.0-3_i386.deb
to pool/main/p/php4/php4-cli_4.4.0-3_i386.deb
php4-common_4.4.0-3_i386.deb
to pool/main/p/php4/php4-common_4.4.0-3_i386.deb
php4-curl_4.4.0-3_i386.deb
to pool/main/p/php4/php4-curl_4.4.0-3_i386.deb
php4-dev_4.4.0-3_i386.deb
to pool/main/p/php4/php4-dev_4.4.0-3_i386.deb
php4-domxml_4.4.0-3_i386.deb
to pool/main/p/php4/php4-domxml_4.4.0-3_i386.deb
php4-gd_4.4.0-3_i386.deb
to pool/main/p/php4/php4-gd_4.4.0-3_i386.deb
php4-ldap_4.4.0-3_i386.deb
to pool/main/p/php4/php4-ldap_4.4.0-3_i386.deb
php4-mcal_4.4.0-3_i386.deb
to pool/main/p/php4/php4-mcal_4.4.0-3_i386.deb
php4-mhash_4.4.0-3_i386.deb
to pool/main/p/php4/php4-mhash_4.4.0-3_i386.deb
php4-mysql_4.4.0-3_i386.deb
to pool/main/p/php4/php4-mysql_4.4.0-3_i386.deb
php4-odbc_4.4.0-3_i386.deb
to pool/main/p/php4/php4-odbc_4.4.0-3_i386.deb
php4-pear_4.4.0-3_all.deb
to pool/main/p/php4/php4-pear_4.4.0-3_all.deb
php4-pgsql_4.4.0-3_i386.deb
to pool/main/p/php4/php4-pgsql_4.4.0-3_i386.deb
php4-recode_4.4.0-3_i386.deb
to pool/main/p/php4/php4-recode_4.4.0-3_i386.deb
php4-snmp_4.4.0-3_i386.deb
to pool/main/p/php4/php4-snmp_4.4.0-3_i386.deb
php4-sybase_4.4.0-3_i386.deb
to pool/main/p/php4/php4-sybase_4.4.0-3_i386.deb
php4-xslt_4.4.0-3_i386.deb
to pool/main/p/php4/php4-xslt_4.4.0-3_i386.deb
php4_4.4.0-3.diff.gz
to pool/main/p/php4/php4_4.4.0-3.diff.gz
php4_4.4.0-3.dsc
to pool/main/p/php4/php4_4.4.0-3.dsc
php4_4.4.0-3_all.deb
to pool/main/p/php4/php4_4.4.0-3_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 323585@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adam Conrad <adconrad@0c3.net> (supplier of updated php4 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 27 Sep 2005 16:12:05 +1000
Source: php4
Binary: php4-sybase php4-recode php4-cgi libapache-mod-php4 php4-cli php4-dev php4-snmp libapache2-mod-php4 php4-odbc php4-xslt php4-mysql php4-domxml php4-gd php4-ldap php4-common php4 php4-curl php4-pear php4-mcal php4-mhash php4-pgsql
Architecture: source i386 all
Version: 4:4.4.0-3
Distribution: unstable
Urgency: low
Maintainer: Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
Changed-By: Adam Conrad <adconrad@0c3.net>
Description:
libapache-mod-php4 - server-side, HTML-embedded scripting language (apache 1.3 module)
libapache2-mod-php4 - server-side, HTML-embedded scripting language (apache 2.0 module)
php4 - server-side, HTML-embedded scripting language (meta-package)
php4-cgi - server-side, HTML-embedded scripting language (CGI binary)
php4-cli - command-line interpreter for the php4 scripting language
php4-common - Common files for packages built from the php4 source
php4-curl - CURL module for php4
php4-dev - Files for PHP4 module development
php4-domxml - XMLv2 module for php4
php4-gd - GD module for php4
php4-ldap - LDAP module for php4
php4-mcal - MCAL calendar module for php4
php4-mhash - MHASH module for php4
php4-mysql - MySQL module for php4
php4-odbc - ODBC module for php4
php4-pear - PHP Extension and Application Repository (transitional package)
php4-pgsql - PostgreSQL module for php4
php4-recode - Character recoding module for php4
php4-snmp - SNMP module for php4
php4-sybase - Sybase / MS SQL Server module for php4
php4-xslt - XSLT module for php4
Closes: 323585
Changes:
php4 (4:4.4.0-3) unstable; urgency=low
.
* Remove Andres Salomon from the Uploaders field, at his request. Thanks
for all your work on the PHP packages, Andres, now fix our kernel bugs.
* Add 054-open_basedir_slash.patch, which fixes a bug where if open_basedir
is set to "/foo/", users can access files in "/foobar/", which is not the
documented behaviour; this addresses CAN-2005-3054 (closes: #323585)
* Add 055-gd_safe_mode_checks.patch from PHP CVS, adding missing safe_mode
checks to the _php_image_output and _php_image_output_ctx GD functions.
Files:
6f672479c214346c12be8c5f1120f3be 1745 web optional php4_4.4.0-3.dsc
f041e37cd7774f437d37b2a38da1745d 96760 web optional php4_4.4.0-3.diff.gz
9ac2982a9f5ccd11562e0bf9103d49e2 171174 web optional php4-common_4.4.0-3_i386.deb
e8315e8e3ac07e6a84563191153b693b 1572214 web optional libapache-mod-php4_4.4.0-3_i386.deb
a1d7ea7a077f04c7e3ebbd7706dd7449 1569358 web optional libapache2-mod-php4_4.4.0-3_i386.deb
946cdd00b6b8f489ca9590f66fb89475 3123294 web optional php4-cgi_4.4.0-3_i386.deb
48032a551e94de828eefc94b65fe3a50 1568544 web optional php4-cli_4.4.0-3_i386.deb
0db34827d320d81e00581a56851636b3 199558 devel optional php4-dev_4.4.0-3_i386.deb
bd12e02ee239da36bfad1966b0c3e2c0 17974 web optional php4-curl_4.4.0-3_i386.deb
6933bd1485487cd9066d571457e99afd 37576 web optional php4-domxml_4.4.0-3_i386.deb
015938c520e1cf1843229dcf3e70291b 33166 web optional php4-gd_4.4.0-3_i386.deb
9e403dbc933f078257cfead27ced949d 19626 web optional php4-ldap_4.4.0-3_i386.deb
564da962653d1f21a65c30b949e99cf4 18234 web optional php4-mcal_4.4.0-3_i386.deb
9240c4310ebcfa02d43ad3c486845329 8638 web optional php4-mhash_4.4.0-3_i386.deb
20b79ffc553a4453819749e856270a03 21604 web optional php4-mysql_4.4.0-3_i386.deb
958afe7121f12c56c49b0abadc8cf7fa 27948 web optional php4-odbc_4.4.0-3_i386.deb
d01d881b101faceed7fc34b815ca22bd 36286 web optional php4-pgsql_4.4.0-3_i386.deb
553fe5028a0b35b624d5b6e83c6510a4 8386 web optional php4-recode_4.4.0-3_i386.deb
740cd97f94563a59a4a6788433231381 13942 web optional php4-snmp_4.4.0-3_i386.deb
fa2a6ef974a73e4b4cb5837948127586 21208 web optional php4-sybase_4.4.0-3_i386.deb
da9f5a8824d2ca99e6096e225a74f436 16618 web optional php4-xslt_4.4.0-3_i386.deb
ab1b2fd06afebdfa8bf7bf8279b0309c 1156 web optional php4_4.4.0-3_all.deb
86e73eac08a7725a3e7c5398bacd23b9 1170 web optional php4-pear_4.4.0-3_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDR/uZvjztR8bOoMkRAlOMAKDWWk5EAgR+y+9ICgkwQBRkIaP++QCfQs37
3siLeXd5jm9bXszUiAwNjaE=
=E/T0
-----END PGP SIGNATURE-----
Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>: Bug#323585; Package libapache2-mod-php4.
(full text, mbox, link).
Acknowledgement sent to Allard Hoeve <allard@byte.nl>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>.
(full text, mbox, link).
Bug reopened, originator not changed.
Request was from Allard Hoeve <allard@byte.nl>
to control@bugs.debian.org.
(full text, mbox, link).
Tags added: sarge
Request was from Allard Hoeve <allard@byte.nl>
to control@bugs.debian.org.
(full text, mbox, link).
Bug marked as found in version 4:4.3.10-16.
Request was from Allard Hoeve <allard@byte.nl>
to control@bugs.debian.org.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>: Bug#323585; Package libapache2-mod-php4.
(full text, mbox, link).
Acknowledgement sent to Lucas Nussbaum <lucas@lucas-nussbaum.net>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>.
(full text, mbox, link).
Subject: Reassigning bugs from libapache2-mod-php4 to libapache2-mod-php5
Date: Mon, 05 May 2008 10:19:37 +0200
reassign 370375 libapache2-mod-php5
reassign 341346 libapache2-mod-php5
reassign 392839 libapache2-mod-php5
reassign 298052 libapache2-mod-php5
reassign 424937 libapache2-mod-php5
reassign 410549 libapache2-mod-php5
reassign 386041 libapache2-mod-php5
reassign 271856 libapache2-mod-php5
reassign 456728 libapache2-mod-php5
reassign 264806 libapache2-mod-php5
reassign 323585 libapache2-mod-php5
thanks
The libapache2-mod-php4 package has been removed from Debian testing, unstable and
experimental. I am reassigning its bugs to the libapache2-mod-php5 package. Please
have a look at them, and close them if they don't apply to
libapache2-mod-php5 anymore.
Don't hesitate to reply to this mail if you have any question.
--
Lucas
Hi,
I'm closing this bug for two reasons:
1) It's in sarge, but sarge is EOL'd so can't be updated anymore;
2) We do not consider open_basedir bugs security critical.
bye,
Thijs
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.