Bug #63965 [Com]: php-fpm site-specific settings go global

steven dot hartland at multiplay dot co dot uk Fri, 19 Apr 2013 03:43:18 -0700

Edit report at https://bugs.php.net/bug.php?id=63965&edit=1


 ID:                 63965
 Comment by:         steven dot hartland at multiplay dot co dot uk
 Reported by:        markku dot niskanen at gmail dot com
 Summary:            php-fpm site-specific settings go global
 Status:             Open
 Type:               Bug
 Package:            PHP options/info functions
 Operating System:   Centos 6.2
 PHP Version:        5.3.20
 Block user comment: N
 Private report:     N

 New Comment:

This is a very nasty security risk, with settings applied to trusted hosts 
being 
leaked to other vhosts.

It essentially means that if PHP_VALUE or PHP_ADMIN_VALUE is used then every 
value 
set must then be explicitly set for every vhost otherwise the settings leak.

This will also cause random behaviour dependent on request order.

This should be reclassified as security and FPM module


Previous Comments:
------------------------------------------------------------------------
[2013-01-11 10:41:43] markku dot niskanen at gmail dot com

The setup code got broken during upload but you should get the idea.

------------------------------------------------------------------------
[2013-01-11 10:40:26] markku dot niskanen at gmail dot com

Description:
------------
# this is an nginx configuration for *.thiscustomer.com
# it should ONLY affect *.thiscustomer.com, no other domains
server {
server_name .thiscustomer.com;
#... normal stuff removed ...
location ~ \.php$ {
# now set  for THIS site
fastcgi_param PHP_VALUE 
"auto_prepend_file=/home/thiscustomer/lib/modules/ThisModule.class.php";
# ..other normal stuff from this on...
}
}


Test script:
---------------
Now first simply go any other site, say "www.thatcustomer.com" on the same 
server and everything works fine. 

Then go to "www.thiscustomer.com" (the example site) and everything works fine.

Then again go to "www.thatcustomer.com" and you will see that you will have an 
"open_basedir restriction", PHP trying to load file (prepending) 
/home/thiscustomer/lib/modules/ThisModule.class.php

So the auto_prepend_file value is changed GLOBALLY and permanently until some 
other domain changes it again. The same goes for ANY PHP_VALUE or 
PHP_ADMIN_VALUE but this is the one that will definitely break all sites.

Tested in PHP 5.3.19 and 5.3.20, two different servers, two different operating 
systems (Centos 5.8 and Centos 6.2).



------------------------------------------------------------------------



-- 
Edit this bug report at https://bugs.php.net/bug.php?id=63965&edit=1

Bug #63965 [Com]: php-fpm site-specific settings go global

Reply via email to