Bug#317577: libapache-mod-php4: php_value specified in within a virtualhost-section may spread to other v-hosts

2005-07-10 Thread Steve Langasek 
tags 317577 unreproducible moreinfo
thanks

On Sat, Jul 09, 2005 at 10:03:58PM +0200, Carsten Wolff wrote:
 I have several virtualhosts on my system. Some of them I had configured
 to use phpbb2 from debian. For that the phpbb2-package suggests to load
 per-virtualhost configurations by adding a php_value auto_prepend_file
 directive to the respective virtualhost-section. So I did:

 VirtualHost 123.123.123.123:80
 ServerName v1.xyz.ab
 DocumentRoot /usr/share/phpbb2/site
 php_value auto_prepend_file /etc/phpbb2/v1.xyz.ab.php
 /VirtualHost

 VirtualHost 123.123.123.123:80
 ServerName v2.xyz.ab
 DocumentRoot /usr/share/phpbb2/site
 php_value auto_prepend_file /etc/phpbb2/v2.xyz.ab.php
 /VirtualHost

 Now when I open v1.xyz.ab in a browser, it will randomly load either
 configuration, depending on which child-process answers the request. if
 I add a phpinfo(); at the right place, I can even see, that
 auto_prepend_file sporadically has the (wrong) value
 /etc/phpbb2/v2.xyz.ab.php.

This bug is 100% unreproducible for me here.  Are you sure
123.123.123.123:80 is configured as a NameVirtualHost?  Do the
auto_prepend_file values from phpinfo() match the SERVER_NAME values?

-- 
Steve Langasek
postmodern programmer


signature.asc
Description: Digital signature

Bug#317577: libapache-mod-php4: php_value specified in within a virtualhost-section may spread to other v-hosts

2005-07-10 Thread Carsten Wolff 
On Sunday 10 July 2005 11:08, Steve Langasek wrote:
 This bug is 100% unreproducible for me here.  Are you sure
 123.123.123.123:80 is configured as a NameVirtualHost?  Do the
 auto_prepend_file values from phpinfo() match the SERVER_NAME values?

Yes I'm sure, I have about 50 (sub-)domains on that server configured through 
NameVirtualHost and so far everything worked fine. Interestingly enough, only 
the phpbb2-VirtualHosts (which are the only ones f.e. sharing the same 
DocumentRoot) seem to be effected by the bug, i.e. the php_(admin)_values 
only leak between them, other domains are not effected. It ssems, that the 
fact, that they have some things in common play a role here.

auto_prepend_file is not the only value that shows this behavior, it's 
actually every php_(admin)_value|flag.

The SERVER_NAME in phpinfo() is always correct, in fact I used it to work 
around auto_prepend_file and include configs depending on 
$_SERVER['SERVER_NAME'].

I can either send you more Info like URLs and configs in private mail, if you 
want to see for yourself, or if you're on IRC we can debug it together. I'm 
currently in #debian as wolffc.


pgpXGCuqk5D0K.pgp
Description: PGP signature

Bug#317577: libapache-mod-php4: php_value specified in within a virtualhost-section may spread to other v-hosts

2005-07-09 Thread Carsten Wolff 
Package: libapache-mod-php4
Version: 4:4.3.10-15
Severity: grave
Tags: security
Justification: user security hole


In my sarge installation I experience problems, that are at least
related to this upstream bugreport:

http://bugs.php.net/bug.php?id=25753

This (closed) report states, that the problem is fixed by a 3-line patch. That
code is in the 4.3.10-15 package, but still mod_php shows the same behaviour
under some circumstances:

I have several virtualhosts on my system. Some of them I had configured
to use phpbb2 from debian. For that the phpbb2-package suggests to load
per-virtualhost configurations by adding a php_value auto_prepend_file
directive to the respective virtualhost-section. So I did:

VirtualHost 123.123.123.123:80
ServerName v1.xyz.ab
DocumentRoot /usr/share/phpbb2/site
php_value auto_prepend_file /etc/phpbb2/v1.xyz.ab.php
/VirtualHost

VirtualHost 123.123.123.123:80
ServerName v2.xyz.ab
DocumentRoot /usr/share/phpbb2/site
php_value auto_prepend_file /etc/phpbb2/v2.xyz.ab.php
/VirtualHost

Now when I open v1.xyz.ab in a browser, it will randomly load either
configuration, depending on which child-process answers the request. if
I add a phpinfo(); at the right place, I can even see, that
auto_prepend_file sporadically has the (wrong) value
/etc/phpbb2/v2.xyz.ab.php.

The upstram bugreport states, this would have only occured before their
bugfix, when a php-source-file had the x flag set. Of course the
source from phpbb2 has 644 rights and appearently, there are still some
other situations, where the bug occurs.

This bug is at least annoying, preventing the use of per-virtualhost
configuration. It can even be dangerous, if f.e. base-dir restrictions
are applied to the wrong virtualhosts, so that users gain access to data
of other users.

For more Information, f.e. for help reproducing the error, please feel
free to ask.

Cheers
Carsten

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.11.7
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages libapache-mod-php4 depends on:
ii  apache-common  1.3.33-6  support files for all Apache webse
ii  debconf [debconf-2.0]  1.4.30.13 Debian configuration management sy
ii  libbz2-1.0 1.0.2-7   high-quality block-sorting file co
ii  libc6  2.3.2.ds1-22  GNU C Library: Shared libraries an
ii  libcomerr2 1.37-2sarge1  common error description library
ii  libdb4.2   4.2.52-18 Berkeley v4.2 Database Libraries [
ii  libexpat1  1.95.8-3  XML parsing C library - runtime li
ii  libkrb53   1.3.6-2   MIT Kerberos runtime libraries
ii  libmagic1  4.12-1File type determination library us
ii  libpcre3   4.5-1.2   Perl 5 Compatible Regular Expressi
ii  libssl0.9.70.9.7e-3  SSL shared libraries
ii  libzzip-0-12   0.12.83-4 library providing read access on Z
ii  mime-support   3.28-1MIME files 'mime.types'  'mailcap
ii  php4-common4:4.3.10-15   Common files for packages built fr
ii  zlib1g 1:1.2.2-4.sarge.1 compression library - runtime

-- debconf information:
  php4/update_apache_php_ini: true


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]