Package: libapache-mod-php4 Version: 4:4.3.10-15 Severity: grave Tags: security Justification: user security hole
In my sarge installation I experience problems, that are at least related to this upstream bugreport: http://bugs.php.net/bug.php?id=25753 This (closed) report states, that the problem is fixed by a 3-line patch. That code is in the 4.3.10-15 package, but still mod_php shows the same behaviour under some circumstances: I have several virtualhosts on my system. Some of them I had configured to use phpbb2 from debian. For that the phpbb2-package suggests to load per-virtualhost configurations by adding a "php_value auto_prepend_file" directive to the respective virtualhost-section. So I did: <VirtualHost 123.123.123.123:80> ServerName v1.xyz.ab DocumentRoot /usr/share/phpbb2/site php_value auto_prepend_file /etc/phpbb2/v1.xyz.ab.php </VirtualHost> <VirtualHost 123.123.123.123:80> ServerName v2.xyz.ab DocumentRoot /usr/share/phpbb2/site php_value auto_prepend_file /etc/phpbb2/v2.xyz.ab.php </VirtualHost> Now when I open v1.xyz.ab in a browser, it will randomly load either configuration, depending on which child-process answers the request. if I add a phpinfo(); at the right place, I can even see, that "auto_prepend_file" sporadically has the (wrong) value "/etc/phpbb2/v2.xyz.ab.php". The upstram bugreport states, this would have only occured before their bugfix, when a php-source-file had the "x" flag set. Of course the source from phpbb2 has 644 rights and appearently, there are still some other situations, where the bug occurs. This bug is at least annoying, preventing the use of per-virtualhost configuration. It can even be dangerous, if f.e. base-dir restrictions are applied to the wrong virtualhosts, so that users gain access to data of other users. For more Information, f.e. for help reproducing the error, please feel free to ask. Cheers Carsten -- System Information: Debian Release: 3.1 APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Kernel: Linux 2.6.11.7 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages libapache-mod-php4 depends on: ii apache-common 1.3.33-6 support files for all Apache webse ii debconf [debconf-2.0] 1.4.30.13 Debian configuration management sy ii libbz2-1.0 1.0.2-7 high-quality block-sorting file co ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries an ii libcomerr2 1.37-2sarge1 common error description library ii libdb4.2 4.2.52-18 Berkeley v4.2 Database Libraries [ ii libexpat1 1.95.8-3 XML parsing C library - runtime li ii libkrb53 1.3.6-2 MIT Kerberos runtime libraries ii libmagic1 4.12-1 File type determination library us ii libpcre3 4.5-1.2 Perl 5 Compatible Regular Expressi ii libssl0.9.7 0.9.7e-3 SSL shared libraries ii libzzip-0-12 0.12.83-4 library providing read access on Z ii mime-support 3.28-1 MIME files 'mime.types' & 'mailcap ii php4-common 4:4.3.10-15 Common files for packages built fr ii zlib1g 1:1.2.2-4.sarge.1 compression library - runtime -- debconf information: php4/update_apache_php_ini: true -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]