Debian Bug report logs -
#416424
SuPHP security issue: Replace AddHandler by AddType
Reported by: Fili <fili@fili.nl>
Date: Sat, 17 Mar 2007 14:24:05 UTC
Severity: critical
Tags: security
Found in version suphp/0.6.2-1
Fixed in version suphp/0.6.2-2
Done: Emmanuel Lacour <elacour@home-dn.net>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Emmanuel Lacour <elacour@home-dn.net>:
Bug#415254; Package libapache-mod-suphp.
(full text, mbox, link).
Acknowledgement sent to Fili <fili@fili.nl>:
New Bug report received and forwarded. Copy sent to Emmanuel Lacour <elacour@home-dn.net>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: libapache-mod-suphp
Version: 0.5.2-3
Severity: critical
There seems to be a serious security bug when using suphp
with apache 1.3.x on Sarge (and also on Etch).
Due to a bug in the suphp (or apache) package it is
necessary to use
AddHandler x-httpd-php .php
instead of the preferred
AddType x-httpd-php .php
Because of this a file called \'image.php.jpg\' is
interpreted and executed as a PHP file (not as an image).
Which makes the execution of arbitrary code possible when
(for example) a poorly written image-upload form fails to
properly check the file-extension.
More info can be found here:
http://www.mail-archive.com/suphp@lists.marsching.biz/msg00065.html
Note: Apache2 doesn\'t seem affected. It however generates a
\'[warn] Cannot get media type from x-httpd-php\' warning in
the apache error-log, each time a php-file is called upon.
Regards,
Fili
Tags added: security
Request was from Steve Langasek <vorlon@debian.org>
to control@bugs.debian.org.
(Sat, 17 Mar 2007 21:18:02 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Emmanuel Lacour <elacour@home-dn.net>:
Bug#415254; Package libapache-mod-suphp.
(full text, mbox, link).
Acknowledgement sent to Peter Thomassen <mail@peter-thomassen.de>:
Extra info received and forwarded to list. Copy sent to Emmanuel Lacour <elacour@home-dn.net>.
Your message did not contain a Subject field. They are recommended and
useful because the title of a Bug is determined using this field.
Please remember to include a Subject field in your messages in future.
(full text, mbox, link).
Message #12 received at 415254@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
retitle 415254 SuPHP security issue: Replace AddHandler by AddType
clone 415254 -1
reassign -1 libapache2-mod-suphp 0.6.2-1
thanks
Fili mixed things up: According to Sebastian's reply[1], the solution is to
use AddType instead of AddHandler, not vice versa!
[1]: http://www.mail-archive.com/suphp%40lists.marsching.biz/msg00067.html
Additionally, libapache2-mod-suphp is also affected.
--
Peter Thomassen • Steigerwaldstr. 4 • 97076 Würzburg • Germany
http://www.peter-thomassen.de/ • mail@peter-thomassen.de
fon +49-931-2705351 • mobil +49-176-63159879
[Message part 2 (application/pgp-signature, inline)]
Changed Bug title to SuPHP security issue: Replace AddHandler by AddType from SuPHP security issue: using AddHandler instead of AddType.
Request was from Peter Thomassen <mail@peter-thomassen.de>
to control@bugs.debian.org.
(Tue, 27 Mar 2007 20:57:06 GMT) (full text, mbox, link).
Bug 415254 cloned as bug 416424.
Request was from Peter Thomassen <mail@peter-thomassen.de>
to control@bugs.debian.org.
(Tue, 27 Mar 2007 20:57:07 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#416424; Package libapache2-mod-suphp.
(full text, mbox, link).
Acknowledgement sent to Emmanuel Lacour <elacour@home-dn.net>:
Extra info received and forwarded to list.
(full text, mbox, link).
Message #23 received at 416424@bugs.debian.org (full text, mbox, reply):
Same answer as #415254:
According to a mail from Jochen Schalanda on the suphp mailing lists. It
is not a bug in suphp. It's an apache misconfiguration.
He gave us some interesting links:
http://httpd.apache.org/docs/2.0/mod/mod_mime.html#multipleext
http://httpd.apache.org/docs/1.3/mod/mod_mime.html
For people wanting to strictly check the extension, he suggest using
SetHandler with FilesMatch.
http://httpd.apache.org/docs/2.0/mod/core.html#filesmatch
http://httpd.apache.org/docs/2.0/mod/core.html#sethandler
Information forwarded to debian-bugs-dist@lists.debian.org, Emmanuel Lacour <elacour@home-dn.net>:
Bug#416424; Package libapache2-mod-suphp.
(full text, mbox, link).
Acknowledgement sent to Peter Thomassen <mail@peter-thomassen.de>:
Extra info received and forwarded to list. Copy sent to Emmanuel Lacour <elacour@home-dn.net>.
(full text, mbox, link).
Message #28 received at 416424@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Am Mittwoch, 28. März 2007 21:22:46 schrieb Emmanuel Lacour:
> According to a mail from Jochen Schalanda on the suphp mailing lists. It
> is not a bug in suphp. It's an apache misconfiguration.
Indeed, it's not a bug in suPHP, but it's a bug in the libapache2-mod-suphp
package because it contains the Apache configuration file and ships with an
insecure configuration.
So, why not include the FilesMatch thing?
Yesterday, I tried that out and noticed that it broke two web sites hosted on
our server. In the next days, I'll do some further testing to discover the
reason, and report back again.
--
Peter Thomassen • Steigerwaldstr. 4 • 97076 Würzburg • Germany
http://www.peter-thomassen.de/ • mail@peter-thomassen.de
fon +49-931-2705351 • mobil +49-176-63159879
[Message part 2 (application/pgp-signature, inline)]
Reply sent to Emmanuel Lacour <elacour@home-dn.net>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Fili <fili@fili.nl>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #33 received at 416424-close@bugs.debian.org (full text, mbox, reply):
Source: suphp
Source-Version: 0.6.2-2
We believe that the bug you reported is fixed in the latest version of
suphp, which is due to be installed in the Debian FTP archive:
libapache2-mod-suphp_0.6.2-2_i386.deb
to pool/main/s/suphp/libapache2-mod-suphp_0.6.2-2_i386.deb
suphp-common_0.6.2-2_i386.deb
to pool/main/s/suphp/suphp-common_0.6.2-2_i386.deb
suphp_0.6.2-2.diff.gz
to pool/main/s/suphp/suphp_0.6.2-2.diff.gz
suphp_0.6.2-2.dsc
to pool/main/s/suphp/suphp_0.6.2-2.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 416424@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Emmanuel Lacour <elacour@home-dn.net> (supplier of updated suphp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 14 Oct 2007 19:42:30 +0200
Source: suphp
Binary: libapache2-mod-suphp suphp-common
Architecture: source i386
Version: 0.6.2-2
Distribution: unstable
Urgency: low
Maintainer: fpeters@debian.org
Changed-By: Emmanuel Lacour <elacour@home-dn.net>
Description:
libapache2-mod-suphp - Apache2 module to run php scripts with the owner permissions
suphp-common - Common files for mod suphp
Closes: 416424 429079
Changes:
suphp (0.6.2-2) unstable; urgency=low
.
* remove apache 1.x package (closes: #429079)
* debian/rules, debian/compat, debian/control: lintian cleanup
* debian/conf/suphp.conf, debian/patches/01_debian.dpatch: replaced
AddHandler by AddType and x-httpd-php by application/x-httpd-php to get
the same behavior as mod php with filenames extensions (closes: #416424)
Files:
6cc2c78e737f46e07bae8861fb5eb4c3 733 web optional suphp_0.6.2-2.dsc
fece84144ec27630ab83b4c7ebd68b39 82062 web optional suphp_0.6.2-2.diff.gz
e7afcb27c06eee8d1387df76698eb874 78610 web optional suphp-common_0.6.2-2_i386.deb
e571f7497b35654ab5fc83f9a7365c5c 16668 web optional libapache2-mod-suphp_0.6.2-2_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHF3ImoR3LsWeD7V4RAgluAJ9OQzlK5gHug4m4+l+fUkcCqlM3aQCglZn2
xrj1Cx1xKlM3MVxEEsGMR2k=
=v8gU
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 16 Mar 2009 08:12:46 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Thu Jan 11 13:26:42 2018;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
