#25753 [Com]: php_value|flag / php_admin_* settings leak from vhosts/.htaccess files

[ron at dse dot nl]

 ID:   25753
 Comment by:   ron at dse dot nl
 Reported By:  [EMAIL PROTECTED]
 Status:   Closed
 Bug Type: Apache related
 Operating System: *
 PHP Version:  4CVS, 5CVS
 New Comment:

I think this problem still exist in version 4.3.8 and this bug report
should be reopened. See my comments at:
http://bugs.php.net/bug.php?id=25876


Previous Comments:


[2004-01-28 12:40:04] [EMAIL PROTECTED]

This only happens on text/html files with the executable bit set.  If
the +x bit is set, we load the current ini settings and if php's
xbithack option is not set we decline the request but forget to reset
the ini settings potentially leaking them to the next request.  This is
now fixed in CVS and will be in the next release of both PHP4 and PHP5.



[2004-01-28 00:47:04] rover at tob dot ru

We examine source files more carefull and remake a patch:

diff -udr php-4.3.3/sapi/apache/mod_php4.c
php-4.3.3.patched/sapi/apache/mod_php4.c
--- php-4.3.3/sapi/apache/mod_php4.c2003-06-03 11:41:49.0
+0600
+++ php-4.3.3.patched/sapi/apache/mod_php4.c2004-01-28
10:48:27.0 +0500
@@ -830,6 +830,9 @@
}
if(!AP(xbithack)) {
r-allowed |= (1  METHODS) - 1;
+   zend_try {
+   zend_ini_deactivate(TSRMLS_C);
+   } zend_end_try();
return DECLINED;
}
return send_parsed_php(r);



[2004-01-27 13:36:14] rover at tob dot ru

It seems we have found a bug in mod_php4.c. We can 100% reproduce this
error. How to reproduce (our case):
in httpd.conf we have:

# to enable only one instance of apache process
StartServers 1
MaxClients 1
#
Directory /var/www/info/
php_value engine off
/Directory

in php.ini:
Engine = On,
we enable php-scripts at all site, but disable in /info.

Let's begin:
#/usr/sbin/apache.dbg -f /etc/apache/httpd.conf
#gbd /usr/sbin/apache.gdb pid_of_child (attach to child, what serve
requests)
(gdb)p php_apache_info.engine
 =1! php-engine ENABLED
(gdb)watch php_apache_info.engine  ! VERY IMPORTANT
(gdb)break send_php! bug in this func.
(gdb)c

1) Request a usual file from http://our.site/info/index.html:
Because we define 'php_value off' for this directory - at line 829 in
function php_xbithack_handler(remember - we process text/html) we call
zend_hash_apply((HashTable *) per_dir_conf, (apply_func_t)
php_apache_alter_ini_entries TSRMLS_CC);
and change our 'engine' value to 0.
backtrace for this call (don't look at line number - they shifted
because i insert debug lines in source files):
Hardware watchpoint 1: php_apache_info.engine
Old value = 1
New value = 0
#0  OnUpdateInt (entry=0x80dc778, new_value=0x80d3cc4 off,
new_value_length=3, mh_arg1=0x0, mh_arg2=0x4057f92c,
mh_arg3=0x0, stage=4) at
/usr/local/src/apache2+php4/php4-4.3.3/Zend/zend_ini.c:453
#1  0x4051110a in zend_alter_ini_entry (name=0x80de170 engine,
name_length=7, new_value=0x80de180 off,
new_value_length=3, modify_type=2, stage=4) at
/usr/local/src/apache2+php4/php4-4.3.3/Zend/zend_ini.c:212
#2  0x40519fc6 in php_apache_alter_ini_entries
(per_dir_entry=0x812c598)
at
/usr/local/src/apache2+php4/php4-4.3.3/sapi/apache/mod_php4.c:511
#3  0x4050b8f9 in zend_hash_apply (ht=0x809fc98, apply_func=0x40519f40
php_apache_alter_ini_entries)
at /usr/local/src/apache2+php4/php4-4.3.3/Zend/zend_hash.c:698
#4  0x4051ad1b in php_xbithack_handler (r=0x81367ec)
at
/usr/local/src/apache2+php4/php4-4.3.3/sapi/apache/mod_php4.c:850
#5  0x080551c3 in ap_invoke_handler (r=0x81367ec) at http_config.c:518
#6  0x08067e28 in process_request_internal (r=0x81367ec) at
http_request.c:1332
#7  0x08067fd4 in ap_process_request (r=0x81367ec) at
http_request.c:1348
#8  0x08060644 in child_main (child_num_arg=0) at http_main.c:4719
#9  0x080607f7 in make_child (s=0x0, slot=0, now=0) at
http_main.c:4898
#10 0x08060920 in startup_children (number_to_start=1) at
http_main.c:4925
#11 0x0806149a in standalone_main (argc=1, argv=0xbdf4) at
http_main.c:5244
#12 0x08061a08 in main (argc=1, argv=0xbdf4) at http_main.c:5601

Result of 1): we process http://our.site/info/index.html succefull and
set global var 'engine'=0!

Now we try to access http://our.site/index.php
2) breakpoint 2 executed:
Breakpoint 2, send_php (r=0x81367ec, display_source_mode=0,
filename=0x0)
at
/usr/local/src/apache2+php4/php4-4.3.3/sapi/apache/mod_php4.c:544
544 fh.free_filename = 0;
#0  send_php (r=0x81367ec, display_source_mode=0, filename=0x0)
at
/usr/local/src/apache2+php4/php4-4.3.3/sapi/apache/mod_php4.c:544
#1  0x4051a6eb in send_parsed_php (r=0x81367ec) at
/usr/local/src/apache2+php4/php4-4.3.3/sapi/apache/mod_php4.c:655
#2  

#25753 [Com]: php_value|flag / php_admin_* settings leak from vhosts/.htaccess files

[schack at tdconline dot dk]

 ID:   25753
 Comment by:   schack at tdconline dot dk
 Reported By:  [EMAIL PROTECTED]
 Status:   Closed
 Bug Type: Apache related
 Operating System: *
 PHP Version:  4CVS, 5CVS
 New Comment:

Why is the bug closed if the problem hasn't been solved ?

I'm also having the problem with 4.3.5rc3


Previous Comments:


[2004-02-16 14:22:24] jg at execulink dot com

Just installed RC3, and I still have the same problem.  INI values are
leaking between virtualhosts.  



phpinfo(); PHP Version 4.3.5RC3



Warning: Unknown(): open_basedir restriction in effect.
File(/usr/ppp/p/pookie/public_html/index.php) is not within the allowed
path(s): (/usr/ppp/p/pdipietro) in Unknown on line 0



Warning: Unknown(/usr/ppp/p/pookie/public_html/index.php): failed to
open stream: Operation not permitted in Unknown on line 0



Warning: (null)(): Failed opening
'/usr/ppp/p/pookie/public_html/index.php' for inclusion
(include_path='.:/usr/share/pear') in Unknown on line 0



[2004-02-13 12:54:51] [EMAIL PROTECTED]

It was fixed after rc2 was released, you can either get a snapshot from
http://snaps.php.net or wait for rc3 which will be released later
today.



Derick



[2004-02-13 12:52:07] jg at execulink dot com

This bug is supposed to be fixed it 4.3.5 ?   I installed 4.3.5RC2 and
I'm having the same problem.  open_basedir restriction on a path
specified in a different virtual host.  Virtualhost settings are
leaking between themselves.  If there is a patch for this, someone
please email me - im desperate!



[2004-01-28 12:40:04] [EMAIL PROTECTED]

This only happens on text/html files with the executable bit set.  If
the +x bit is set, we load the current ini settings and if php's
xbithack option is not set we decline the request but forget to reset
the ini settings potentially leaking them to the next request.  This is
now fixed in CVS and will be in the next release of both PHP4 and PHP5.



[2004-01-28 00:47:04] rover at tob dot ru

We examine source files more carefull and remake a patch:



diff -udr php-4.3.3/sapi/apache/mod_php4.c
php-4.3.3.patched/sapi/apache/mod_php4.c

--- php-4.3.3/sapi/apache/mod_php4.c2003-06-03 11:41:49.0
+0600

+++ php-4.3.3.patched/sapi/apache/mod_php4.c2004-01-28
10:48:27.0 +0500

@@ -830,6 +830,9 @@

}

if(!AP(xbithack)) {

r-allowed |= (1  METHODS) - 1;

+   zend_try {

+   zend_ini_deactivate(TSRMLS_C);

+   } zend_end_try();

return DECLINED;

}

return send_parsed_php(r);



The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/25753

-- 
Edit this bug report at http://bugs.php.net/?id=25753edit=1

#25753 [Com]: php_value|flag / php_admin_* settings leak from vhosts/.htaccess files

[jg at execulink dot com]

 ID:   25753
 Comment by:   jg at execulink dot com
 Reported By:  [EMAIL PROTECTED]
 Status:   Closed
 Bug Type: Apache related
 Operating System: *
 PHP Version:  4CVS, 5CVS
 New Comment:

Just installed RC3, and I still have the same problem.  INI values are
leaking between virtualhosts.  



phpinfo(); PHP Version 4.3.5RC3



Warning: Unknown(): open_basedir restriction in effect.
File(/usr/ppp/p/pookie/public_html/index.php) is not within the allowed
path(s): (/usr/ppp/p/pdipietro) in Unknown on line 0



Warning: Unknown(/usr/ppp/p/pookie/public_html/index.php): failed to
open stream: Operation not permitted in Unknown on line 0



Warning: (null)(): Failed opening
'/usr/ppp/p/pookie/public_html/index.php' for inclusion
(include_path='.:/usr/share/pear') in Unknown on line 0


Previous Comments:


[2004-02-13 12:54:51] [EMAIL PROTECTED]

It was fixed after rc2 was released, you can either get a snapshot from
http://snaps.php.net or wait for rc3 which will be released later
today.



Derick



[2004-02-13 12:52:07] jg at execulink dot com

This bug is supposed to be fixed it 4.3.5 ?   I installed 4.3.5RC2 and
I'm having the same problem.  open_basedir restriction on a path
specified in a different virtual host.  Virtualhost settings are
leaking between themselves.  If there is a patch for this, someone
please email me - im desperate!



[2004-01-28 12:40:04] [EMAIL PROTECTED]

This only happens on text/html files with the executable bit set.  If
the +x bit is set, we load the current ini settings and if php's
xbithack option is not set we decline the request but forget to reset
the ini settings potentially leaking them to the next request.  This is
now fixed in CVS and will be in the next release of both PHP4 and PHP5.



[2004-01-28 00:47:04] rover at tob dot ru

We examine source files more carefull and remake a patch:



diff -udr php-4.3.3/sapi/apache/mod_php4.c
php-4.3.3.patched/sapi/apache/mod_php4.c

--- php-4.3.3/sapi/apache/mod_php4.c2003-06-03 11:41:49.0
+0600

+++ php-4.3.3.patched/sapi/apache/mod_php4.c2004-01-28
10:48:27.0 +0500

@@ -830,6 +830,9 @@

}

if(!AP(xbithack)) {

r-allowed |= (1  METHODS) - 1;

+   zend_try {

+   zend_ini_deactivate(TSRMLS_C);

+   } zend_end_try();

return DECLINED;

}

return send_parsed_php(r);



[2004-01-27 13:36:14] rover at tob dot ru

It seems we have found a bug in mod_php4.c. We can 100% reproduce this
error. How to reproduce (our case):

in httpd.conf we have:



# to enable only one instance of apache process

StartServers 1

MaxClients 1

#

Directory /var/www/info/

php_value engine off

/Directory



in php.ini:

Engine = On,

we enable php-scripts at all site, but disable in /info.



Let's begin:

#/usr/sbin/apache.dbg -f /etc/apache/httpd.conf

#gbd /usr/sbin/apache.gdb pid_of_child (attach to child, what serve
requests)

(gdb)p php_apache_info.engine

 =1! php-engine ENABLED

(gdb)watch php_apache_info.engine  ! VERY IMPORTANT

(gdb)break send_php! bug in this func.

(gdb)c



1) Request a usual file from http://our.site/info/index.html:

Because we define 'php_value off' for this directory - at line 829 in
function php_xbithack_handler(remember - we process text/html) we call

zend_hash_apply((HashTable *) per_dir_conf, (apply_func_t)
php_apache_alter_ini_entries TSRMLS_CC);

and change our 'engine' value to 0.

backtrace for this call (don't look at line number - they shifted
because i insert debug lines in source files):

Hardware watchpoint 1: php_apache_info.engine

Old value = 1

New value = 0

#0  OnUpdateInt (entry=0x80dc778, new_value=0x80d3cc4 off,
new_value_length=3, mh_arg1=0x0, mh_arg2=0x4057f92c,

mh_arg3=0x0, stage=4) at
/usr/local/src/apache2+php4/php4-4.3.3/Zend/zend_ini.c:453

#1  0x4051110a in zend_alter_ini_entry (name=0x80de170 engine,
name_length=7, new_value=0x80de180 off,

new_value_length=3, modify_type=2, stage=4) at
/usr/local/src/apache2+php4/php4-4.3.3/Zend/zend_ini.c:212

#2  0x40519fc6 in php_apache_alter_ini_entries
(per_dir_entry=0x812c598)

at
/usr/local/src/apache2+php4/php4-4.3.3/sapi/apache/mod_php4.c:511

#3  0x4050b8f9 in zend_hash_apply (ht=0x809fc98, apply_func=0x40519f40
php_apache_alter_ini_entries)

at /usr/local/src/apache2+php4/php4-4.3.3/Zend/zend_hash.c:698

#4  0x4051ad1b in php_xbithack_handler (r=0x81367ec)

at
/usr/local/src/apache2+php4/php4-4.3.3/sapi/apache/mod_php4.c:850

#5  

#25753 [Com]: php_value|flag / php_admin_* settings leak from vhosts/.htaccess files

[jg at execulink dot com]

 ID:   25753
 Comment by:   jg at execulink dot com
 Reported By:  [EMAIL PROTECTED]
 Status:   Closed
 Bug Type: Apache related
 Operating System: *
 PHP Version:  4CVS, 5CVS
 New Comment:

This bug is supposed to be fixed it 4.3.5 ?   I installed 4.3.5RC2 and
I'm having the same problem.  open_basedir restriction on a path
specified in a different virtual host.  Virtualhost settings are
leaking between themselves.  If there is a patch for this, someone
please email me - im desperate!


Previous Comments:


[2004-01-28 12:40:04] [EMAIL PROTECTED]

This only happens on text/html files with the executable bit set.  If
the +x bit is set, we load the current ini settings and if php's
xbithack option is not set we decline the request but forget to reset
the ini settings potentially leaking them to the next request.  This is
now fixed in CVS and will be in the next release of both PHP4 and PHP5.



[2004-01-28 00:47:04] rover at tob dot ru

We examine source files more carefull and remake a patch:



diff -udr php-4.3.3/sapi/apache/mod_php4.c
php-4.3.3.patched/sapi/apache/mod_php4.c

--- php-4.3.3/sapi/apache/mod_php4.c2003-06-03 11:41:49.0
+0600

+++ php-4.3.3.patched/sapi/apache/mod_php4.c2004-01-28
10:48:27.0 +0500

@@ -830,6 +830,9 @@

}

if(!AP(xbithack)) {

r-allowed |= (1  METHODS) - 1;

+   zend_try {

+   zend_ini_deactivate(TSRMLS_C);

+   } zend_end_try();

return DECLINED;

}

return send_parsed_php(r);



[2004-01-27 13:36:14] rover at tob dot ru

It seems we have found a bug in mod_php4.c. We can 100% reproduce this
error. How to reproduce (our case):

in httpd.conf we have:



# to enable only one instance of apache process

StartServers 1

MaxClients 1

#

Directory /var/www/info/

php_value engine off

/Directory



in php.ini:

Engine = On,

we enable php-scripts at all site, but disable in /info.



Let's begin:

#/usr/sbin/apache.dbg -f /etc/apache/httpd.conf

#gbd /usr/sbin/apache.gdb pid_of_child (attach to child, what serve
requests)

(gdb)p php_apache_info.engine

 =1! php-engine ENABLED

(gdb)watch php_apache_info.engine  ! VERY IMPORTANT

(gdb)break send_php! bug in this func.

(gdb)c



1) Request a usual file from http://our.site/info/index.html:

Because we define 'php_value off' for this directory - at line 829 in
function php_xbithack_handler(remember - we process text/html) we call

zend_hash_apply((HashTable *) per_dir_conf, (apply_func_t)
php_apache_alter_ini_entries TSRMLS_CC);

and change our 'engine' value to 0.

backtrace for this call (don't look at line number - they shifted
because i insert debug lines in source files):

Hardware watchpoint 1: php_apache_info.engine

Old value = 1

New value = 0

#0  OnUpdateInt (entry=0x80dc778, new_value=0x80d3cc4 off,
new_value_length=3, mh_arg1=0x0, mh_arg2=0x4057f92c,

mh_arg3=0x0, stage=4) at
/usr/local/src/apache2+php4/php4-4.3.3/Zend/zend_ini.c:453

#1  0x4051110a in zend_alter_ini_entry (name=0x80de170 engine,
name_length=7, new_value=0x80de180 off,

new_value_length=3, modify_type=2, stage=4) at
/usr/local/src/apache2+php4/php4-4.3.3/Zend/zend_ini.c:212

#2  0x40519fc6 in php_apache_alter_ini_entries
(per_dir_entry=0x812c598)

at
/usr/local/src/apache2+php4/php4-4.3.3/sapi/apache/mod_php4.c:511

#3  0x4050b8f9 in zend_hash_apply (ht=0x809fc98, apply_func=0x40519f40
php_apache_alter_ini_entries)

at /usr/local/src/apache2+php4/php4-4.3.3/Zend/zend_hash.c:698

#4  0x4051ad1b in php_xbithack_handler (r=0x81367ec)

at
/usr/local/src/apache2+php4/php4-4.3.3/sapi/apache/mod_php4.c:850

#5  0x080551c3 in ap_invoke_handler (r=0x81367ec) at http_config.c:518

#6  0x08067e28 in process_request_internal (r=0x81367ec) at
http_request.c:1332

#7  0x08067fd4 in ap_process_request (r=0x81367ec) at
http_request.c:1348

#8  0x08060644 in child_main (child_num_arg=0) at http_main.c:4719

#9  0x080607f7 in make_child (s=0x0, slot=0, now=0) at
http_main.c:4898

#10 0x08060920 in startup_children (number_to_start=1) at
http_main.c:4925

#11 0x0806149a in standalone_main (argc=1, argv=0xbdf4) at
http_main.c:5244

#12 0x08061a08 in main (argc=1, argv=0xbdf4) at http_main.c:5601



Result of 1): we process http://our.site/info/index.html succefull and
set global var 'engine'=0!



Now we try to access http://our.site/index.php

2) breakpoint 2 executed:

Breakpoint 2, send_php (r=0x81367ec, display_source_mode=0,
filename=0x0)

at
/usr/local/src/apache2+php4/php4-4.3.3/sapi/apache/mod_php4.c:544

544 fh.free_filename = 0;

#0  send_php (r=0x81367ec, 

#25753 [Com]: php_value|flag / php_admin_* settings leak from vhosts/.htaccess files

[david at bizeweb dot com]

 ID:   25753
 Comment by:   david at bizeweb dot com
 Reported By:  [EMAIL PROTECTED]
 Status:   Closed
 Bug Type: Apache related
 Operating System: *
 PHP Version:  4CVS, 5CVS
 New Comment:

I a related problem to an apache list, and someone directed me to here.
 I thought timing was so perfect and that the problem was fixed. 
However, I think this bug still exists.  Unless I need to install a
specific CVS version. I have php4-STABLE-200402012230 installed on a
RH9 with apache2.0.44 with a php config of 
CFLAGS=-I/usr/kerberos/include -DSECURITY_HOLE_PASS_AUTHORIZATION
./configure --with-apxs2=/usr/local/apache/bin/apxs --with-gettext
--with-imap=/dl/imap-2001a --with-kerberos --with-glibcc --with-xml
--with-mysql.

I've isolated my server and in my httpd.conf have set the following for
easy testing.
StartServers 1
MinSpareServers  1
MaxSpareServers 2

VirtualHost x.x.x.x:80
ServerName foo.com
/VirtualHost

VirtualHost x.x.x.x:80
php_admin_flag engine off
ServerName foo2.com
/VirtualHost
I can keep going to foo.com without any problems as soon as I goto
foo2.com, then foo.com will attempt to dl the php files.
I'm new to this field, but if I can help just ask.


Previous Comments:


[2004-01-28 12:40:04] [EMAIL PROTECTED]

This only happens on text/html files with the executable bit set.  If
the +x bit is set, we load the current ini settings and if php's
xbithack option is not set we decline the request but forget to reset
the ini settings potentially leaking them to the next request.  This is
now fixed in CVS and will be in the next release of both PHP4 and PHP5.



[2004-01-28 00:47:04] rover at tob dot ru

We examine source files more carefull and remake a patch:

diff -udr php-4.3.3/sapi/apache/mod_php4.c
php-4.3.3.patched/sapi/apache/mod_php4.c
--- php-4.3.3/sapi/apache/mod_php4.c2003-06-03 11:41:49.0
+0600
+++ php-4.3.3.patched/sapi/apache/mod_php4.c2004-01-28
10:48:27.0 +0500
@@ -830,6 +830,9 @@
}
if(!AP(xbithack)) {
r-allowed |= (1  METHODS) - 1;
+   zend_try {
+   zend_ini_deactivate(TSRMLS_C);
+   } zend_end_try();
return DECLINED;
}
return send_parsed_php(r);



[2004-01-27 13:36:14] rover at tob dot ru

It seems we have found a bug in mod_php4.c. We can 100% reproduce this
error. How to reproduce (our case):
in httpd.conf we have:

# to enable only one instance of apache process
StartServers 1
MaxClients 1
#
Directory /var/www/info/
php_value engine off
/Directory

in php.ini:
Engine = On,
we enable php-scripts at all site, but disable in /info.

Let's begin:
#/usr/sbin/apache.dbg -f /etc/apache/httpd.conf
#gbd /usr/sbin/apache.gdb pid_of_child (attach to child, what serve
requests)
(gdb)p php_apache_info.engine
 =1! php-engine ENABLED
(gdb)watch php_apache_info.engine  ! VERY IMPORTANT
(gdb)break send_php! bug in this func.
(gdb)c

1) Request a usual file from http://our.site/info/index.html:
Because we define 'php_value off' for this directory - at line 829 in
function php_xbithack_handler(remember - we process text/html) we call
zend_hash_apply((HashTable *) per_dir_conf, (apply_func_t)
php_apache_alter_ini_entries TSRMLS_CC);
and change our 'engine' value to 0.
backtrace for this call (don't look at line number - they shifted
because i insert debug lines in source files):
Hardware watchpoint 1: php_apache_info.engine
Old value = 1
New value = 0
#0  OnUpdateInt (entry=0x80dc778, new_value=0x80d3cc4 off,
new_value_length=3, mh_arg1=0x0, mh_arg2=0x4057f92c,
mh_arg3=0x0, stage=4) at
/usr/local/src/apache2+php4/php4-4.3.3/Zend/zend_ini.c:453
#1  0x4051110a in zend_alter_ini_entry (name=0x80de170 engine,
name_length=7, new_value=0x80de180 off,
new_value_length=3, modify_type=2, stage=4) at
/usr/local/src/apache2+php4/php4-4.3.3/Zend/zend_ini.c:212
#2  0x40519fc6 in php_apache_alter_ini_entries
(per_dir_entry=0x812c598)
at
/usr/local/src/apache2+php4/php4-4.3.3/sapi/apache/mod_php4.c:511
#3  0x4050b8f9 in zend_hash_apply (ht=0x809fc98, apply_func=0x40519f40
php_apache_alter_ini_entries)
at /usr/local/src/apache2+php4/php4-4.3.3/Zend/zend_hash.c:698
#4  0x4051ad1b in php_xbithack_handler (r=0x81367ec)
at
/usr/local/src/apache2+php4/php4-4.3.3/sapi/apache/mod_php4.c:850
#5  0x080551c3 in ap_invoke_handler (r=0x81367ec) at http_config.c:518
#6  0x08067e28 in process_request_internal (r=0x81367ec) at
http_request.c:1332
#7  0x08067fd4 in ap_process_request (r=0x81367ec) at
http_request.c:1348
#8  0x08060644 in child_main (child_num_arg=0) at http_main.c:4719
#9  0x080607f7 in make_child (s=0x0, slot=0, now=0) at

#25753 [Com]: php_value|flag / php_admin_* settings leak from vhosts/.htaccess files

[david at bizeweb dot com]

 ID:   25753
 Comment by:   david at bizeweb dot com
 Reported By:  [EMAIL PROTECTED]
 Status:   Closed
 Bug Type: Apache related
 Operating System: *
 PHP Version:  4CVS, 5CVS
 New Comment:

I found out that to use the CVS that you'll need to use .buildconf
first.  I had not done that.  I have installed the cvs php properly now
(I hope) and can not repeat the error.  Sorry if I got anyone looking
for something that wasn't there.


Previous Comments:


[2004-02-02 08:25:48] david at bizeweb dot com

I a related problem to an apache list, and someone directed me to here.
 I thought timing was so perfect and that the problem was fixed. 
However, I think this bug still exists.  Unless I need to install a
specific CVS version. I have php4-STABLE-200402012230 installed on a
RH9 with apache2.0.44 with a php config of 
CFLAGS=-I/usr/kerberos/include -DSECURITY_HOLE_PASS_AUTHORIZATION
./configure --with-apxs2=/usr/local/apache/bin/apxs --with-gettext
--with-imap=/dl/imap-2001a --with-kerberos --with-glibcc --with-xml
--with-mysql.

I've isolated my server and in my httpd.conf have set the following for
easy testing.
StartServers 1
MinSpareServers  1
MaxSpareServers 2

VirtualHost x.x.x.x:80
ServerName foo.com
/VirtualHost

VirtualHost x.x.x.x:80
php_admin_flag engine off
ServerName foo2.com
/VirtualHost
I can keep going to foo.com without any problems as soon as I goto
foo2.com, then foo.com will attempt to dl the php files.
I'm new to this field, but if I can help just ask.



[2004-01-28 12:40:04] [EMAIL PROTECTED]

This only happens on text/html files with the executable bit set.  If
the +x bit is set, we load the current ini settings and if php's
xbithack option is not set we decline the request but forget to reset
the ini settings potentially leaking them to the next request.  This is
now fixed in CVS and will be in the next release of both PHP4 and PHP5.



[2004-01-28 00:47:04] rover at tob dot ru

We examine source files more carefull and remake a patch:

diff -udr php-4.3.3/sapi/apache/mod_php4.c
php-4.3.3.patched/sapi/apache/mod_php4.c
--- php-4.3.3/sapi/apache/mod_php4.c2003-06-03 11:41:49.0
+0600
+++ php-4.3.3.patched/sapi/apache/mod_php4.c2004-01-28
10:48:27.0 +0500
@@ -830,6 +830,9 @@
}
if(!AP(xbithack)) {
r-allowed |= (1  METHODS) - 1;
+   zend_try {
+   zend_ini_deactivate(TSRMLS_C);
+   } zend_end_try();
return DECLINED;
}
return send_parsed_php(r);



[2004-01-27 13:36:14] rover at tob dot ru

It seems we have found a bug in mod_php4.c. We can 100% reproduce this
error. How to reproduce (our case):
in httpd.conf we have:

# to enable only one instance of apache process
StartServers 1
MaxClients 1
#
Directory /var/www/info/
php_value engine off
/Directory

in php.ini:
Engine = On,
we enable php-scripts at all site, but disable in /info.

Let's begin:
#/usr/sbin/apache.dbg -f /etc/apache/httpd.conf
#gbd /usr/sbin/apache.gdb pid_of_child (attach to child, what serve
requests)
(gdb)p php_apache_info.engine
 =1! php-engine ENABLED
(gdb)watch php_apache_info.engine  ! VERY IMPORTANT
(gdb)break send_php! bug in this func.
(gdb)c

1) Request a usual file from http://our.site/info/index.html:
Because we define 'php_value off' for this directory - at line 829 in
function php_xbithack_handler(remember - we process text/html) we call
zend_hash_apply((HashTable *) per_dir_conf, (apply_func_t)
php_apache_alter_ini_entries TSRMLS_CC);
and change our 'engine' value to 0.
backtrace for this call (don't look at line number - they shifted
because i insert debug lines in source files):
Hardware watchpoint 1: php_apache_info.engine
Old value = 1
New value = 0
#0  OnUpdateInt (entry=0x80dc778, new_value=0x80d3cc4 off,
new_value_length=3, mh_arg1=0x0, mh_arg2=0x4057f92c,
mh_arg3=0x0, stage=4) at
/usr/local/src/apache2+php4/php4-4.3.3/Zend/zend_ini.c:453
#1  0x4051110a in zend_alter_ini_entry (name=0x80de170 engine,
name_length=7, new_value=0x80de180 off,
new_value_length=3, modify_type=2, stage=4) at
/usr/local/src/apache2+php4/php4-4.3.3/Zend/zend_ini.c:212
#2  0x40519fc6 in php_apache_alter_ini_entries
(per_dir_entry=0x812c598)
at
/usr/local/src/apache2+php4/php4-4.3.3/sapi/apache/mod_php4.c:511
#3  0x4050b8f9 in zend_hash_apply (ht=0x809fc98, apply_func=0x40519f40
php_apache_alter_ini_entries)
at /usr/local/src/apache2+php4/php4-4.3.3/Zend/zend_hash.c:698
#4  0x4051ad1b in php_xbithack_handler (r=0x81367ec)
at

#25753 [Com]: php_value|flag / php_admin_* settings leak from vhosts/.htaccess files

[rover at tob dot ru]

 ID:   25753
 Comment by:   rover at tob dot ru
 Reported By:  [EMAIL PROTECTED]
 Status:   Closed
 Bug Type: Apache related
 Operating System: *
 PHP Version:  4CVS, 5CVS
 New Comment:

Anyway - in some case this can lead to security violation.
Apache2 module are vulnerable to this bug?


Previous Comments:


[2004-01-28 12:40:04] [EMAIL PROTECTED]

This only happens on text/html files with the executable bit set.  If
the +x bit is set, we load the current ini settings and if php's
xbithack option is not set we decline the request but forget to reset
the ini settings potentially leaking them to the next request.  This is
now fixed in CVS and will be in the next release of both PHP4 and PHP5.



[2004-01-28 00:47:04] rover at tob dot ru

We examine source files more carefull and remake a patch:

diff -udr php-4.3.3/sapi/apache/mod_php4.c
php-4.3.3.patched/sapi/apache/mod_php4.c
--- php-4.3.3/sapi/apache/mod_php4.c2003-06-03 11:41:49.0
+0600
+++ php-4.3.3.patched/sapi/apache/mod_php4.c2004-01-28
10:48:27.0 +0500
@@ -830,6 +830,9 @@
}
if(!AP(xbithack)) {
r-allowed |= (1  METHODS) - 1;
+   zend_try {
+   zend_ini_deactivate(TSRMLS_C);
+   } zend_end_try();
return DECLINED;
}
return send_parsed_php(r);



[2004-01-27 16:08:12] rover at tob dot ru

2 hour later

We analyze this bug more carefully.

THIS BUG VERY CRITICAL AND HAVE HUGE SECURITY IMPACT!

message with explanation are sent to [EMAIL PROTECTED],
[EMAIL PROTECTED]



[2004-01-27 14:20:05] rover at tob dot ru

Latest patch have a disadvantage: seems options like 'php_value engine
on' now doesn't working in .htaccess directives. But now i don't have
such annoying errors as early. Wait for developer solution. :)



[2004-01-27 13:55:50] rover at tob dot ru

You can try this patch: (applied to 4.3.3, 4.3.4 and 4.3.5RC1
versions):

#patch -p1 -d source_dir_of_php  patch.diff

diff -udr php-4.3.3/sapi/apache/mod_php4.c
php-4.3.3.patched/sapi/apache/mod_php4.c
--- php-4.3.3/sapi/apache/mod_php4.c2003-06-03 11:41:49.0
+0600
+++ php-4.3.3.patched/sapi/apache/mod_php4.c2004-01-27
23:59:26.0 +0500
@@ -559,6 +559,11 @@
return DECLINED;
}

+   /* Restore default ini settings */
+   zend_try {
+   zend_ini_deactivate(TSRMLS_C);
+   } zend_end_try();
+
per_dir_conf = (HashTable *)
get_module_config(r-per_dir_config, php4_module);
if (per_dir_conf) {
zend_hash_apply((HashTable *) per_dir_conf,
(apply_func_t) php_apache_alter_ini_entries TSRMLS_C



The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/25753

-- 
Edit this bug report at http://bugs.php.net/?id=25753edit=1

#25753 [Com]: php_value|flag / php_admin_* settings leak from vhosts/.htaccess files

[rover at tob dot ru]

 ID:   25753
 Comment by:   rover at tob dot ru
 Reported By:  [EMAIL PROTECTED]
 Status:   Critical
 Bug Type: Apache related
 Operating System: *
 PHP Version:  4CVS, 5CVS
 New Comment:

It seems we have found a bug in mod_php4.c. We can 100% reproduce this
error. How to reproduce (our case):
in httpd.conf we have:

# to enable only one instance of apache process
StartServers 1
MaxClients 1
#
Directory /var/www/info/
php_value engine off
/Directory

in php.ini:
Engine = On,
we enable php-scripts at all site, but disable in /info.

Let's begin:
#/usr/sbin/apache.dbg -f /etc/apache/httpd.conf
#gbd /usr/sbin/apache.gdb pid_of_child (attach to child, what serve
requests)
(gdb)p php_apache_info.engine
 =1! php-engine ENABLED
(gdb)watch php_apache_info.engine  ! VERY IMPORTANT
(gdb)break send_php! bug in this func.
(gdb)c

1) Request a usual file from http://our.site/info/index.html:
Because we define 'php_value off' for this directory - at line 829 in
function php_xbithack_handler(remember - we process text/html) we call
zend_hash_apply((HashTable *) per_dir_conf, (apply_func_t)
php_apache_alter_ini_entries TSRMLS_CC);
and change our 'engine' value to 0.
backtrace for this call (don't look at line number - they shifted
because i insert debug lines in source files):
Hardware watchpoint 1: php_apache_info.engine
Old value = 1
New value = 0
#0  OnUpdateInt (entry=0x80dc778, new_value=0x80d3cc4 off,
new_value_length=3, mh_arg1=0x0, mh_arg2=0x4057f92c,
mh_arg3=0x0, stage=4) at
/usr/local/src/apache2+php4/php4-4.3.3/Zend/zend_ini.c:453
#1  0x4051110a in zend_alter_ini_entry (name=0x80de170 engine,
name_length=7, new_value=0x80de180 off,
new_value_length=3, modify_type=2, stage=4) at
/usr/local/src/apache2+php4/php4-4.3.3/Zend/zend_ini.c:212
#2  0x40519fc6 in php_apache_alter_ini_entries
(per_dir_entry=0x812c598)
at
/usr/local/src/apache2+php4/php4-4.3.3/sapi/apache/mod_php4.c:511
#3  0x4050b8f9 in zend_hash_apply (ht=0x809fc98, apply_func=0x40519f40
php_apache_alter_ini_entries)
at /usr/local/src/apache2+php4/php4-4.3.3/Zend/zend_hash.c:698
#4  0x4051ad1b in php_xbithack_handler (r=0x81367ec)
at
/usr/local/src/apache2+php4/php4-4.3.3/sapi/apache/mod_php4.c:850
#5  0x080551c3 in ap_invoke_handler (r=0x81367ec) at http_config.c:518
#6  0x08067e28 in process_request_internal (r=0x81367ec) at
http_request.c:1332
#7  0x08067fd4 in ap_process_request (r=0x81367ec) at
http_request.c:1348
#8  0x08060644 in child_main (child_num_arg=0) at http_main.c:4719
#9  0x080607f7 in make_child (s=0x0, slot=0, now=0) at
http_main.c:4898
#10 0x08060920 in startup_children (number_to_start=1) at
http_main.c:4925
#11 0x0806149a in standalone_main (argc=1, argv=0xbdf4) at
http_main.c:5244
#12 0x08061a08 in main (argc=1, argv=0xbdf4) at http_main.c:5601

Result of 1): we process http://our.site/info/index.html succefull and
set global var 'engine'=0!

Now we try to access http://our.site/index.php
2) breakpoint 2 executed:
Breakpoint 2, send_php (r=0x81367ec, display_source_mode=0,
filename=0x0)
at
/usr/local/src/apache2+php4/php4-4.3.3/sapi/apache/mod_php4.c:544
544 fh.free_filename = 0;
#0  send_php (r=0x81367ec, display_source_mode=0, filename=0x0)
at
/usr/local/src/apache2+php4/php4-4.3.3/sapi/apache/mod_php4.c:544
#1  0x4051a6eb in send_parsed_php (r=0x81367ec) at
/usr/local/src/apache2+php4/php4-4.3.3/sapi/apache/mod_php4.c:655
#2  0x080551c3 in ap_invoke_handler (r=0x81367ec) at http_config.c:518
#3  0x08067e28 in process_request_internal (r=0x81367ec) at
http_request.c:1332
#4  0x08067fd4 in ap_process_request (r=0x81367ec) at
http_request.c:1348
#5  0x08060644 in child_main (child_num_arg=135489516) at
http_main.c:4719
#6  0x080607f7 in make_child (s=0x81367ec, slot=0, now=135489516) at
http_main.c:4898
#7  0x08060920 in startup_children (number_to_start=1) at
http_main.c:4925
#8  0x0806149a in standalone_main (argc=1, argv=0xbdf4) at
http_main.c:5244
#9  0x08061a08 in main (argc=1, argv=0xbdf4) at http_main.c:5601

But look at 'engine' - IT HAVE OLD VALUE = 0! What happend next:

In mod_php4.c at line 570(original file from 4.3.3,4.3.4,4.3.5RC1) we
have:
if (!AP(engine)) {
r-content_type = php_apache_get_default_mimetype(r
TSRMLS_CC);
r-allowed |= (1  METHODS) - 1;
zend_try {
zend_ini_deactivate(TSRMLS_C);
} zend_end_try();
return DECLINED;
}

and instead serve index.php as x-application-php we only return
DECLINE. Continue:

3)(gdb)c
Hardware watchpoint 1: php_apache_info.engine
Old value = 0
New value = 1
OnUpdateInt (entry=0x80dc778, new_value=0x80b53e0 1,
new_value_length=1, mh_arg1=0x0, mh_arg2=0x4057f92c,
mh_arg3=0x0, stage=8) at
/usr/local/src/apache2+php4/php4-4.3.3/Zend/zend_ini.c:453
453
1: php_apache_info = {engine = 1, 

#25753 [Com]: php_value|flag / php_admin_* settings leak from vhosts/.htaccess files

[rover at tob dot ru]

 ID:   25753
 Comment by:   rover at tob dot ru
 Reported By:  [EMAIL PROTECTED]
 Status:   Critical
 Bug Type: Apache related
 Operating System: *
 PHP Version:  4CVS, 5CVS
 New Comment:

You can try this patch: (applied to 4.3.3, 4.3.4 and 4.3.5RC1
versions):

#patch -p1 -d source_dir_of_php  patch.diff

diff -udr php-4.3.3/sapi/apache/mod_php4.c
php-4.3.3.patched/sapi/apache/mod_php4.c
--- php-4.3.3/sapi/apache/mod_php4.c2003-06-03 11:41:49.0
+0600
+++ php-4.3.3.patched/sapi/apache/mod_php4.c2004-01-27
23:59:26.0 +0500
@@ -559,6 +559,11 @@
return DECLINED;
}

+   /* Restore default ini settings */
+   zend_try {
+   zend_ini_deactivate(TSRMLS_C);
+   } zend_end_try();
+
per_dir_conf = (HashTable *)
get_module_config(r-per_dir_config, php4_module);
if (per_dir_conf) {
zend_hash_apply((HashTable *) per_dir_conf,
(apply_func_t) php_apache_alter_ini_entries TSRMLS_C


Previous Comments:


[2004-01-27 13:36:14] rover at tob dot ru

It seems we have found a bug in mod_php4.c. We can 100% reproduce this
error. How to reproduce (our case):
in httpd.conf we have:

# to enable only one instance of apache process
StartServers 1
MaxClients 1
#
Directory /var/www/info/
php_value engine off
/Directory

in php.ini:
Engine = On,
we enable php-scripts at all site, but disable in /info.

Let's begin:
#/usr/sbin/apache.dbg -f /etc/apache/httpd.conf
#gbd /usr/sbin/apache.gdb pid_of_child (attach to child, what serve
requests)
(gdb)p php_apache_info.engine
 =1! php-engine ENABLED
(gdb)watch php_apache_info.engine  ! VERY IMPORTANT
(gdb)break send_php! bug in this func.
(gdb)c

1) Request a usual file from http://our.site/info/index.html:
Because we define 'php_value off' for this directory - at line 829 in
function php_xbithack_handler(remember - we process text/html) we call
zend_hash_apply((HashTable *) per_dir_conf, (apply_func_t)
php_apache_alter_ini_entries TSRMLS_CC);
and change our 'engine' value to 0.
backtrace for this call (don't look at line number - they shifted
because i insert debug lines in source files):
Hardware watchpoint 1: php_apache_info.engine
Old value = 1
New value = 0
#0  OnUpdateInt (entry=0x80dc778, new_value=0x80d3cc4 off,
new_value_length=3, mh_arg1=0x0, mh_arg2=0x4057f92c,
mh_arg3=0x0, stage=4) at
/usr/local/src/apache2+php4/php4-4.3.3/Zend/zend_ini.c:453
#1  0x4051110a in zend_alter_ini_entry (name=0x80de170 engine,
name_length=7, new_value=0x80de180 off,
new_value_length=3, modify_type=2, stage=4) at
/usr/local/src/apache2+php4/php4-4.3.3/Zend/zend_ini.c:212
#2  0x40519fc6 in php_apache_alter_ini_entries
(per_dir_entry=0x812c598)
at
/usr/local/src/apache2+php4/php4-4.3.3/sapi/apache/mod_php4.c:511
#3  0x4050b8f9 in zend_hash_apply (ht=0x809fc98, apply_func=0x40519f40
php_apache_alter_ini_entries)
at /usr/local/src/apache2+php4/php4-4.3.3/Zend/zend_hash.c:698
#4  0x4051ad1b in php_xbithack_handler (r=0x81367ec)
at
/usr/local/src/apache2+php4/php4-4.3.3/sapi/apache/mod_php4.c:850
#5  0x080551c3 in ap_invoke_handler (r=0x81367ec) at http_config.c:518
#6  0x08067e28 in process_request_internal (r=0x81367ec) at
http_request.c:1332
#7  0x08067fd4 in ap_process_request (r=0x81367ec) at
http_request.c:1348
#8  0x08060644 in child_main (child_num_arg=0) at http_main.c:4719
#9  0x080607f7 in make_child (s=0x0, slot=0, now=0) at
http_main.c:4898
#10 0x08060920 in startup_children (number_to_start=1) at
http_main.c:4925
#11 0x0806149a in standalone_main (argc=1, argv=0xbdf4) at
http_main.c:5244
#12 0x08061a08 in main (argc=1, argv=0xbdf4) at http_main.c:5601

Result of 1): we process http://our.site/info/index.html succefull and
set global var 'engine'=0!

Now we try to access http://our.site/index.php
2) breakpoint 2 executed:
Breakpoint 2, send_php (r=0x81367ec, display_source_mode=0,
filename=0x0)
at
/usr/local/src/apache2+php4/php4-4.3.3/sapi/apache/mod_php4.c:544
544 fh.free_filename = 0;
#0  send_php (r=0x81367ec, display_source_mode=0, filename=0x0)
at
/usr/local/src/apache2+php4/php4-4.3.3/sapi/apache/mod_php4.c:544
#1  0x4051a6eb in send_parsed_php (r=0x81367ec) at
/usr/local/src/apache2+php4/php4-4.3.3/sapi/apache/mod_php4.c:655
#2  0x080551c3 in ap_invoke_handler (r=0x81367ec) at http_config.c:518
#3  0x08067e28 in process_request_internal (r=0x81367ec) at
http_request.c:1332
#4  0x08067fd4 in ap_process_request (r=0x81367ec) at
http_request.c:1348
#5  0x08060644 in child_main (child_num_arg=135489516) at
http_main.c:4719
#6  0x080607f7 in make_child (s=0x81367ec, slot=0, now=135489516) at
http_main.c:4898
#7  0x08060920 in startup_children (number_to_start=1) at
http_main.c:4925
#8  

#25753 [Com]: php_value|flag / php_admin_* settings leak from vhosts/.htaccess files

[rover at tob dot ru]

 ID:   25753
 Comment by:   rover at tob dot ru
 Reported By:  [EMAIL PROTECTED]
 Status:   Critical
 Bug Type: Apache related
 Operating System: *
 PHP Version:  4CVS, 5CVS
 New Comment:

Latest patch have a disadvantage: seems options like 'php_value engine
on' now doesn't working in .htaccess directives. But now i don't have
such annoying errors as early. Wait for developer solution. :)


Previous Comments:


[2004-01-27 13:55:50] rover at tob dot ru

You can try this patch: (applied to 4.3.3, 4.3.4 and 4.3.5RC1
versions):

#patch -p1 -d source_dir_of_php  patch.diff

diff -udr php-4.3.3/sapi/apache/mod_php4.c
php-4.3.3.patched/sapi/apache/mod_php4.c
--- php-4.3.3/sapi/apache/mod_php4.c2003-06-03 11:41:49.0
+0600
+++ php-4.3.3.patched/sapi/apache/mod_php4.c2004-01-27
23:59:26.0 +0500
@@ -559,6 +559,11 @@
return DECLINED;
}

+   /* Restore default ini settings */
+   zend_try {
+   zend_ini_deactivate(TSRMLS_C);
+   } zend_end_try();
+
per_dir_conf = (HashTable *)
get_module_config(r-per_dir_config, php4_module);
if (per_dir_conf) {
zend_hash_apply((HashTable *) per_dir_conf,
(apply_func_t) php_apache_alter_ini_entries TSRMLS_C



[2004-01-27 13:36:14] rover at tob dot ru

It seems we have found a bug in mod_php4.c. We can 100% reproduce this
error. How to reproduce (our case):
in httpd.conf we have:

# to enable only one instance of apache process
StartServers 1
MaxClients 1
#
Directory /var/www/info/
php_value engine off
/Directory

in php.ini:
Engine = On,
we enable php-scripts at all site, but disable in /info.

Let's begin:
#/usr/sbin/apache.dbg -f /etc/apache/httpd.conf
#gbd /usr/sbin/apache.gdb pid_of_child (attach to child, what serve
requests)
(gdb)p php_apache_info.engine
 =1! php-engine ENABLED
(gdb)watch php_apache_info.engine  ! VERY IMPORTANT
(gdb)break send_php! bug in this func.
(gdb)c

1) Request a usual file from http://our.site/info/index.html:
Because we define 'php_value off' for this directory - at line 829 in
function php_xbithack_handler(remember - we process text/html) we call
zend_hash_apply((HashTable *) per_dir_conf, (apply_func_t)
php_apache_alter_ini_entries TSRMLS_CC);
and change our 'engine' value to 0.
backtrace for this call (don't look at line number - they shifted
because i insert debug lines in source files):
Hardware watchpoint 1: php_apache_info.engine
Old value = 1
New value = 0
#0  OnUpdateInt (entry=0x80dc778, new_value=0x80d3cc4 off,
new_value_length=3, mh_arg1=0x0, mh_arg2=0x4057f92c,
mh_arg3=0x0, stage=4) at
/usr/local/src/apache2+php4/php4-4.3.3/Zend/zend_ini.c:453
#1  0x4051110a in zend_alter_ini_entry (name=0x80de170 engine,
name_length=7, new_value=0x80de180 off,
new_value_length=3, modify_type=2, stage=4) at
/usr/local/src/apache2+php4/php4-4.3.3/Zend/zend_ini.c:212
#2  0x40519fc6 in php_apache_alter_ini_entries
(per_dir_entry=0x812c598)
at
/usr/local/src/apache2+php4/php4-4.3.3/sapi/apache/mod_php4.c:511
#3  0x4050b8f9 in zend_hash_apply (ht=0x809fc98, apply_func=0x40519f40
php_apache_alter_ini_entries)
at /usr/local/src/apache2+php4/php4-4.3.3/Zend/zend_hash.c:698
#4  0x4051ad1b in php_xbithack_handler (r=0x81367ec)
at
/usr/local/src/apache2+php4/php4-4.3.3/sapi/apache/mod_php4.c:850
#5  0x080551c3 in ap_invoke_handler (r=0x81367ec) at http_config.c:518
#6  0x08067e28 in process_request_internal (r=0x81367ec) at
http_request.c:1332
#7  0x08067fd4 in ap_process_request (r=0x81367ec) at
http_request.c:1348
#8  0x08060644 in child_main (child_num_arg=0) at http_main.c:4719
#9  0x080607f7 in make_child (s=0x0, slot=0, now=0) at
http_main.c:4898
#10 0x08060920 in startup_children (number_to_start=1) at
http_main.c:4925
#11 0x0806149a in standalone_main (argc=1, argv=0xbdf4) at
http_main.c:5244
#12 0x08061a08 in main (argc=1, argv=0xbdf4) at http_main.c:5601

Result of 1): we process http://our.site/info/index.html succefull and
set global var 'engine'=0!

Now we try to access http://our.site/index.php
2) breakpoint 2 executed:
Breakpoint 2, send_php (r=0x81367ec, display_source_mode=0,
filename=0x0)
at
/usr/local/src/apache2+php4/php4-4.3.3/sapi/apache/mod_php4.c:544
544 fh.free_filename = 0;
#0  send_php (r=0x81367ec, display_source_mode=0, filename=0x0)
at
/usr/local/src/apache2+php4/php4-4.3.3/sapi/apache/mod_php4.c:544
#1  0x4051a6eb in send_parsed_php (r=0x81367ec) at
/usr/local/src/apache2+php4/php4-4.3.3/sapi/apache/mod_php4.c:655
#2  0x080551c3 in ap_invoke_handler (r=0x81367ec) at http_config.c:518
#3  0x08067e28 in process_request_internal (r=0x81367ec) at
http_request.c:1332

#25753 [Com]: php_value|flag / php_admin_* settings leak from vhosts/.htaccess files

[rover at tob dot ru]

 ID:   25753
 Comment by:   rover at tob dot ru
 Reported By:  [EMAIL PROTECTED]
 Status:   Critical
 Bug Type: Apache related
 Operating System: *
 PHP Version:  4CVS, 5CVS
 New Comment:

2 hour later

We analyze this bug more carefully.

THIS BUG VERY CRITICAL AND HAVE HUGE SECURITY IMPACT!

message with explanation are sent to [EMAIL PROTECTED],
[EMAIL PROTECTED]


Previous Comments:


[2004-01-27 14:20:05] rover at tob dot ru

Latest patch have a disadvantage: seems options like 'php_value engine
on' now doesn't working in .htaccess directives. But now i don't have
such annoying errors as early. Wait for developer solution. :)



[2004-01-27 13:55:50] rover at tob dot ru

You can try this patch: (applied to 4.3.3, 4.3.4 and 4.3.5RC1
versions):

#patch -p1 -d source_dir_of_php  patch.diff

diff -udr php-4.3.3/sapi/apache/mod_php4.c
php-4.3.3.patched/sapi/apache/mod_php4.c
--- php-4.3.3/sapi/apache/mod_php4.c2003-06-03 11:41:49.0
+0600
+++ php-4.3.3.patched/sapi/apache/mod_php4.c2004-01-27
23:59:26.0 +0500
@@ -559,6 +559,11 @@
return DECLINED;
}

+   /* Restore default ini settings */
+   zend_try {
+   zend_ini_deactivate(TSRMLS_C);
+   } zend_end_try();
+
per_dir_conf = (HashTable *)
get_module_config(r-per_dir_config, php4_module);
if (per_dir_conf) {
zend_hash_apply((HashTable *) per_dir_conf,
(apply_func_t) php_apache_alter_ini_entries TSRMLS_C



[2004-01-27 13:36:14] rover at tob dot ru

It seems we have found a bug in mod_php4.c. We can 100% reproduce this
error. How to reproduce (our case):
in httpd.conf we have:

# to enable only one instance of apache process
StartServers 1
MaxClients 1
#
Directory /var/www/info/
php_value engine off
/Directory

in php.ini:
Engine = On,
we enable php-scripts at all site, but disable in /info.

Let's begin:
#/usr/sbin/apache.dbg -f /etc/apache/httpd.conf
#gbd /usr/sbin/apache.gdb pid_of_child (attach to child, what serve
requests)
(gdb)p php_apache_info.engine
 =1! php-engine ENABLED
(gdb)watch php_apache_info.engine  ! VERY IMPORTANT
(gdb)break send_php! bug in this func.
(gdb)c

1) Request a usual file from http://our.site/info/index.html:
Because we define 'php_value off' for this directory - at line 829 in
function php_xbithack_handler(remember - we process text/html) we call
zend_hash_apply((HashTable *) per_dir_conf, (apply_func_t)
php_apache_alter_ini_entries TSRMLS_CC);
and change our 'engine' value to 0.
backtrace for this call (don't look at line number - they shifted
because i insert debug lines in source files):
Hardware watchpoint 1: php_apache_info.engine
Old value = 1
New value = 0
#0  OnUpdateInt (entry=0x80dc778, new_value=0x80d3cc4 off,
new_value_length=3, mh_arg1=0x0, mh_arg2=0x4057f92c,
mh_arg3=0x0, stage=4) at
/usr/local/src/apache2+php4/php4-4.3.3/Zend/zend_ini.c:453
#1  0x4051110a in zend_alter_ini_entry (name=0x80de170 engine,
name_length=7, new_value=0x80de180 off,
new_value_length=3, modify_type=2, stage=4) at
/usr/local/src/apache2+php4/php4-4.3.3/Zend/zend_ini.c:212
#2  0x40519fc6 in php_apache_alter_ini_entries
(per_dir_entry=0x812c598)
at
/usr/local/src/apache2+php4/php4-4.3.3/sapi/apache/mod_php4.c:511
#3  0x4050b8f9 in zend_hash_apply (ht=0x809fc98, apply_func=0x40519f40
php_apache_alter_ini_entries)
at /usr/local/src/apache2+php4/php4-4.3.3/Zend/zend_hash.c:698
#4  0x4051ad1b in php_xbithack_handler (r=0x81367ec)
at
/usr/local/src/apache2+php4/php4-4.3.3/sapi/apache/mod_php4.c:850
#5  0x080551c3 in ap_invoke_handler (r=0x81367ec) at http_config.c:518
#6  0x08067e28 in process_request_internal (r=0x81367ec) at
http_request.c:1332
#7  0x08067fd4 in ap_process_request (r=0x81367ec) at
http_request.c:1348
#8  0x08060644 in child_main (child_num_arg=0) at http_main.c:4719
#9  0x080607f7 in make_child (s=0x0, slot=0, now=0) at
http_main.c:4898
#10 0x08060920 in startup_children (number_to_start=1) at
http_main.c:4925
#11 0x0806149a in standalone_main (argc=1, argv=0xbdf4) at
http_main.c:5244
#12 0x08061a08 in main (argc=1, argv=0xbdf4) at http_main.c:5601

Result of 1): we process http://our.site/info/index.html succefull and
set global var 'engine'=0!

Now we try to access http://our.site/index.php
2) breakpoint 2 executed:
Breakpoint 2, send_php (r=0x81367ec, display_source_mode=0,
filename=0x0)
at
/usr/local/src/apache2+php4/php4-4.3.3/sapi/apache/mod_php4.c:544
544 fh.free_filename = 0;
#0  send_php (r=0x81367ec, display_source_mode=0, filename=0x0)
at

#25753 [Com]: php_value|flag / php_admin_* settings leak from vhosts/.htaccess files

[rover at tob dot ru]

 ID:   25753
 Comment by:   rover at tob dot ru
 Reported By:  [EMAIL PROTECTED]
 Status:   Critical
 Bug Type: Apache related
 Operating System: *
 PHP Version:  4CVS, 5CVS
 New Comment:

We examine source files more carefull and remake a patch:

diff -udr php-4.3.3/sapi/apache/mod_php4.c
php-4.3.3.patched/sapi/apache/mod_php4.c
--- php-4.3.3/sapi/apache/mod_php4.c2003-06-03 11:41:49.0
+0600
+++ php-4.3.3.patched/sapi/apache/mod_php4.c2004-01-28
10:48:27.0 +0500
@@ -830,6 +830,9 @@
}
if(!AP(xbithack)) {
r-allowed |= (1  METHODS) - 1;
+   zend_try {
+   zend_ini_deactivate(TSRMLS_C);
+   } zend_end_try();
return DECLINED;
}
return send_parsed_php(r);


Previous Comments:


[2004-01-27 16:08:12] rover at tob dot ru

2 hour later

We analyze this bug more carefully.

THIS BUG VERY CRITICAL AND HAVE HUGE SECURITY IMPACT!

message with explanation are sent to [EMAIL PROTECTED],
[EMAIL PROTECTED]



[2004-01-27 14:20:05] rover at tob dot ru

Latest patch have a disadvantage: seems options like 'php_value engine
on' now doesn't working in .htaccess directives. But now i don't have
such annoying errors as early. Wait for developer solution. :)



[2004-01-27 13:55:50] rover at tob dot ru

You can try this patch: (applied to 4.3.3, 4.3.4 and 4.3.5RC1
versions):

#patch -p1 -d source_dir_of_php  patch.diff

diff -udr php-4.3.3/sapi/apache/mod_php4.c
php-4.3.3.patched/sapi/apache/mod_php4.c
--- php-4.3.3/sapi/apache/mod_php4.c2003-06-03 11:41:49.0
+0600
+++ php-4.3.3.patched/sapi/apache/mod_php4.c2004-01-27
23:59:26.0 +0500
@@ -559,6 +559,11 @@
return DECLINED;
}

+   /* Restore default ini settings */
+   zend_try {
+   zend_ini_deactivate(TSRMLS_C);
+   } zend_end_try();
+
per_dir_conf = (HashTable *)
get_module_config(r-per_dir_config, php4_module);
if (per_dir_conf) {
zend_hash_apply((HashTable *) per_dir_conf,
(apply_func_t) php_apache_alter_ini_entries TSRMLS_C



[2004-01-27 13:36:14] rover at tob dot ru

It seems we have found a bug in mod_php4.c. We can 100% reproduce this
error. How to reproduce (our case):
in httpd.conf we have:

# to enable only one instance of apache process
StartServers 1
MaxClients 1
#
Directory /var/www/info/
php_value engine off
/Directory

in php.ini:
Engine = On,
we enable php-scripts at all site, but disable in /info.

Let's begin:
#/usr/sbin/apache.dbg -f /etc/apache/httpd.conf
#gbd /usr/sbin/apache.gdb pid_of_child (attach to child, what serve
requests)
(gdb)p php_apache_info.engine
 =1! php-engine ENABLED
(gdb)watch php_apache_info.engine  ! VERY IMPORTANT
(gdb)break send_php! bug in this func.
(gdb)c

1) Request a usual file from http://our.site/info/index.html:
Because we define 'php_value off' for this directory - at line 829 in
function php_xbithack_handler(remember - we process text/html) we call
zend_hash_apply((HashTable *) per_dir_conf, (apply_func_t)
php_apache_alter_ini_entries TSRMLS_CC);
and change our 'engine' value to 0.
backtrace for this call (don't look at line number - they shifted
because i insert debug lines in source files):
Hardware watchpoint 1: php_apache_info.engine
Old value = 1
New value = 0
#0  OnUpdateInt (entry=0x80dc778, new_value=0x80d3cc4 off,
new_value_length=3, mh_arg1=0x0, mh_arg2=0x4057f92c,
mh_arg3=0x0, stage=4) at
/usr/local/src/apache2+php4/php4-4.3.3/Zend/zend_ini.c:453
#1  0x4051110a in zend_alter_ini_entry (name=0x80de170 engine,
name_length=7, new_value=0x80de180 off,
new_value_length=3, modify_type=2, stage=4) at
/usr/local/src/apache2+php4/php4-4.3.3/Zend/zend_ini.c:212
#2  0x40519fc6 in php_apache_alter_ini_entries
(per_dir_entry=0x812c598)
at
/usr/local/src/apache2+php4/php4-4.3.3/sapi/apache/mod_php4.c:511
#3  0x4050b8f9 in zend_hash_apply (ht=0x809fc98, apply_func=0x40519f40
php_apache_alter_ini_entries)
at /usr/local/src/apache2+php4/php4-4.3.3/Zend/zend_hash.c:698
#4  0x4051ad1b in php_xbithack_handler (r=0x81367ec)
at
/usr/local/src/apache2+php4/php4-4.3.3/sapi/apache/mod_php4.c:850
#5  0x080551c3 in ap_invoke_handler (r=0x81367ec) at http_config.c:518
#6  0x08067e28 in process_request_internal (r=0x81367ec) at
http_request.c:1332
#7  0x08067fd4 in ap_process_request (r=0x81367ec) at
http_request.c:1348
#8  0x08060644 in child_main (child_num_arg=0) at http_main.c:4719
#9  0x080607f7 in make_child (s=0x0, slot=0, 

#25753 [Com]: php_value|flag / php_admin_* settings leak from vhosts/.htaccess files

[paul at vanbrouwershaven dot com]

 ID:   25753
 Comment by:   paul at vanbrouwershaven dot com
 Reported By:  [EMAIL PROTECTED]
 Status:   Critical
 Bug Type: Apache related
 Operating System: *
 PHP Version:  4CVS, 5CVS
 New Comment:

Same problem with apache 2.0.48 and PHP 4.3.4

We solved the problem by downgrading tot PHP 4.3.1


Previous Comments:


[2004-01-07 07:34:20] [EMAIL PROTECTED]

Installing the patch resulted in a massive amount of errors from
apache, all looking like:
[notice] child pid 10072 exit signal Segmentation fault (11)

... about 10 of these per. second

Eventually resulting in the apache server crashing.
Requesting revised patch :)



[2004-01-07 07:11:27] [EMAIL PROTECTED]

Regarding Bug #26810
We are currently testing the suggested patch on two of our troubled
servers to see if it resolves our problem. 
However the only way to get results from our tests is if our customers
do not report more errors, so I'll report back in a week or so :)

We are using Apache 1.3.28 and Apache 1.3.29 on the two servers, see
more in Bug #26810



[2003-12-22 17:47:26] dkh-php at nighttide dot net

This appears suspiciously similar to the bug I opened in 24248, only
mention it here so that it can be included at the list of related
reports.



[2003-12-04 15:49:20] [EMAIL PROTECTED]

Try the following patch:
http://bb.prohost.org/ap_bug.txt



[2003-10-30 09:35:44] fs at nessus dot at

no thats false.
this bug occours on apache 1.3.x too (tested it with 1.3.27).
i think thats very essential...

greetings,

Florian Schicker
www.nessus.at



The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/25753

-- 
Edit this bug report at http://bugs.php.net/?id=25753edit=1

#25753 [Com]: php_value|flag / php_admin_* settings leak from vhosts/.htaccess files

[dkh-php at nighttide dot net]

 ID:   25753
 Comment by:   dkh-php at nighttide dot net
 Reported By:  [EMAIL PROTECTED]
 Status:   Critical
 Bug Type: Apache related
 Operating System: *
 PHP Version:  4CVS, 5CVS
 New Comment:

This appears suspiciously similar to the bug I opened in 24248, only
mention it here so that it can be included at the list of related
reports.


Previous Comments:


[2003-12-04 15:49:20] [EMAIL PROTECTED]

Try the following patch:
http://bb.prohost.org/ap_bug.txt



[2003-10-30 09:35:44] fs at nessus dot at

no thats false.
this bug occours on apache 1.3.x too (tested it with 1.3.27).
i think thats very essential...

greetings,

Florian Schicker
www.nessus.at



[2003-10-28 04:13:33] mattias at segerdahl dot info

This bug only appears when and if you have overlapping virtualhosts in
apache2. Using fqdn's that have IN A or CNAME to an ipaddress on the
server seems to fix it.

This is only an observation that seems to have gotten rid of the
problem for me.

// bad2da



[2003-10-22 04:01:39] mattias at segerdahl dot info

Sniper,

I accidently ran into this bug a few moments ago. I talked to Derick
about it in the channel and we agreed I would do some testing. There
are some particular strange behaviour.

I will try to explain as well as include the files needed to reproduce
this error. But first let me point out one thing that I find really
weird.

This only occurs when the apache server has not been accessed for a
while, if you reload the page directly after you've encountered this
error message, it will work perfectly.

The error message is:

Warning: Unknown(): open_basedir restriction in effect.
File(/var/www/users.bitcom.se/index.php) is not within the allowed
path(s): (/var/www/www.sol.se) in Unknown on line 0
Warning: Unknown(/var/www/users.bitcom.se/index.php): failed to open
stream: Operation not permitted in Unknown on line 0
Warning: (null)(): Failed opening '/var/www/users.bitcom.se/index.php'
for inclusion (include_path='.:/usr/local/php//lib/php') in Unknown on
line 0

My php.ini file http://www.segerdahl.info/25753/php.ini
My httpd.conf file http://www.segerdahl.info/25753/httpd.conf

Server version: Apache/2.0.47
Server built:   Oct 20 2003 18:39:21

PHP 4.3.4RC4 configured as:

'./configure' '--with-apxs2=/usr/local/httpd/bin/apxs'
'--enable-mbstring' '--with-pear' '--with-mysql'
'--enable-magic-quotes' '--with-ftp' '--sysconfdir=/etc/php'
'--with-config-file-path=/etc/php' '--prefix=/usr/local/php/'
'--enable-mbstring' '--with-curl' '--enable-ftp' 

APACHE configured as:
./configure --sysconfdir=/etc/httpd/conf --enable-ssl
--prefix=/usr/local/httpd --enable-modules=dso,most

Contact me on efnet if you need more information... // bad2da



[2003-10-04 18:58:16] [EMAIL PROTECTED]

We do not know what causes this bug or how it can be reliably
reproduced. If you know exactly HOW this can be reproduced, add the
information here. Any other comments will be deleted.




The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/25753

-- 
Edit this bug report at http://bugs.php.net/?id=25753edit=1

#25753 [Com]: php_value|flag / php_admin_* settings leak from vhosts/.htaccess files

[dkh-php at nighttide dot net]

 ID:   25753
 Comment by:   dkh-php at nighttide dot net
 Reported By:  [EMAIL PROTECTED]
 Status:   Critical
 Bug Type: Apache related
 Operating System: *
 PHP Version:  4CVS, 5CVS
 New Comment:

This appears suspiciously similar to the bug I opened in 24248, only
mention it here so that it can be included at the list of related
reports.


Previous Comments:


[2003-12-22 17:47:26] dkh-php at nighttide dot net

This appears suspiciously similar to the bug I opened in 24248, only
mention it here so that it can be included at the list of related
reports.



[2003-12-04 15:49:20] [EMAIL PROTECTED]

Try the following patch:
http://bb.prohost.org/ap_bug.txt



[2003-10-30 09:35:44] fs at nessus dot at

no thats false.
this bug occours on apache 1.3.x too (tested it with 1.3.27).
i think thats very essential...

greetings,

Florian Schicker
www.nessus.at



[2003-10-28 04:13:33] mattias at segerdahl dot info

This bug only appears when and if you have overlapping virtualhosts in
apache2. Using fqdn's that have IN A or CNAME to an ipaddress on the
server seems to fix it.

This is only an observation that seems to have gotten rid of the
problem for me.

// bad2da



[2003-10-22 04:01:39] mattias at segerdahl dot info

Sniper,

I accidently ran into this bug a few moments ago. I talked to Derick
about it in the channel and we agreed I would do some testing. There
are some particular strange behaviour.

I will try to explain as well as include the files needed to reproduce
this error. But first let me point out one thing that I find really
weird.

This only occurs when the apache server has not been accessed for a
while, if you reload the page directly after you've encountered this
error message, it will work perfectly.

The error message is:

Warning: Unknown(): open_basedir restriction in effect.
File(/var/www/users.bitcom.se/index.php) is not within the allowed
path(s): (/var/www/www.sol.se) in Unknown on line 0
Warning: Unknown(/var/www/users.bitcom.se/index.php): failed to open
stream: Operation not permitted in Unknown on line 0
Warning: (null)(): Failed opening '/var/www/users.bitcom.se/index.php'
for inclusion (include_path='.:/usr/local/php//lib/php') in Unknown on
line 0

My php.ini file http://www.segerdahl.info/25753/php.ini
My httpd.conf file http://www.segerdahl.info/25753/httpd.conf

Server version: Apache/2.0.47
Server built:   Oct 20 2003 18:39:21

PHP 4.3.4RC4 configured as:

'./configure' '--with-apxs2=/usr/local/httpd/bin/apxs'
'--enable-mbstring' '--with-pear' '--with-mysql'
'--enable-magic-quotes' '--with-ftp' '--sysconfdir=/etc/php'
'--with-config-file-path=/etc/php' '--prefix=/usr/local/php/'
'--enable-mbstring' '--with-curl' '--enable-ftp' 

APACHE configured as:
./configure --sysconfdir=/etc/httpd/conf --enable-ssl
--prefix=/usr/local/httpd --enable-modules=dso,most

Contact me on efnet if you need more information... // bad2da



The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/25753

-- 
Edit this bug report at http://bugs.php.net/?id=25753edit=1

#25753 [Com]: php_value|flag / php_admin_* settings leak from vhosts/.htaccess files

[blitzer at cutery dot fi]

 ID:   25753
 Comment by:   blitzer at cutery dot fi
 Reported By:  [EMAIL PROTECTED]
 Status:   Critical
 Bug Type: Apache related
 Operating System: *
 PHP Version:  4CVS, 5CVS
 New Comment:

A workaround I did seems to work until this is fixed: make php.ini
automatically prepend a .php file that will reload the variables from
the .ini file.


Previous Comments:


[2003-11-08 12:38:07] simon at implix dot com

We have a similar problem.

We've got overlapping virtualhosts (as they
are required for one of our application)
and sometimes PHP returns register_globals = Off,
even though = On is set in php.ini.

We are using php 4.3.4 + apache 2.0.48.

The problem doesn't exist when we use
php 4.3.1.



[2003-10-30 09:35:44] fs at nessus dot at

no thats false.
this bug occours on apache 1.3.x too (tested it with 1.3.27).
i think thats very essential...

greetings,

Florian Schicker
www.nessus.at



[2003-10-28 04:13:33] mattias at segerdahl dot info

This bug only appears when and if you have overlapping virtualhosts in
apache2. Using fqdn's that have IN A or CNAME to an ipaddress on the
server seems to fix it.

This is only an observation that seems to have gotten rid of the
problem for me.

// bad2da



[2003-10-22 04:01:39] mattias at segerdahl dot info

Sniper,

I accidently ran into this bug a few moments ago. I talked to Derick
about it in the channel and we agreed I would do some testing. There
are some particular strange behaviour.

I will try to explain as well as include the files needed to reproduce
this error. But first let me point out one thing that I find really
weird.

This only occurs when the apache server has not been accessed for a
while, if you reload the page directly after you've encountered this
error message, it will work perfectly.

The error message is:

Warning: Unknown(): open_basedir restriction in effect.
File(/var/www/users.bitcom.se/index.php) is not within the allowed
path(s): (/var/www/www.sol.se) in Unknown on line 0
Warning: Unknown(/var/www/users.bitcom.se/index.php): failed to open
stream: Operation not permitted in Unknown on line 0
Warning: (null)(): Failed opening '/var/www/users.bitcom.se/index.php'
for inclusion (include_path='.:/usr/local/php//lib/php') in Unknown on
line 0

My php.ini file http://www.segerdahl.info/25753/php.ini
My httpd.conf file http://www.segerdahl.info/25753/httpd.conf

Server version: Apache/2.0.47
Server built:   Oct 20 2003 18:39:21

PHP 4.3.4RC4 configured as:

'./configure' '--with-apxs2=/usr/local/httpd/bin/apxs'
'--enable-mbstring' '--with-pear' '--with-mysql'
'--enable-magic-quotes' '--with-ftp' '--sysconfdir=/etc/php'
'--with-config-file-path=/etc/php' '--prefix=/usr/local/php/'
'--enable-mbstring' '--with-curl' '--enable-ftp' 

APACHE configured as:
./configure --sysconfdir=/etc/httpd/conf --enable-ssl
--prefix=/usr/local/httpd --enable-modules=dso,most

Contact me on efnet if you need more information... // bad2da



[2003-10-04 18:58:16] [EMAIL PROTECTED]

We do not know what causes this bug or how it can be reliably
reproduced. If you know exactly HOW this can be reproduced, add the
information here. Any other comments will be deleted.




The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/25753

-- 
Edit this bug report at http://bugs.php.net/?id=25753edit=1

#25753 [Com]: php_value|flag / php_admin_* settings leak from vhosts/.htaccess files

[joris at ideeel dot nl]

 ID:   25753
 Comment by:   joris at ideeel dot nl
 Reported By:  [EMAIL PROTECTED]
 Status:   Critical
 Bug Type: Apache related
 Operating System: *
 PHP Version:  4CVS, 5CVS
 New Comment:

We experience this problem, but different PHP programs are differently
susceptible to it
problem: extra slashes before quotation marks (\ instead of )
vulnerable: PHPsysinfo  PHPnuke
not vulnerable: Squirrelmail, phpBB, phpMyAdmin
Tested on RH73 standard setup.

joris


Previous Comments:


[2003-11-28 10:07:31] blitzer at cutery dot fi

A workaround I did seems to work until this is fixed: make php.ini
automatically prepend a .php file that will reload the variables from
the .ini file.



[2003-11-08 12:38:07] simon at implix dot com

We have a similar problem.

We've got overlapping virtualhosts (as they
are required for one of our application)
and sometimes PHP returns register_globals = Off,
even though = On is set in php.ini.

We are using php 4.3.4 + apache 2.0.48.

The problem doesn't exist when we use
php 4.3.1.



[2003-10-30 09:35:44] fs at nessus dot at

no thats false.
this bug occours on apache 1.3.x too (tested it with 1.3.27).
i think thats very essential...

greetings,

Florian Schicker
www.nessus.at



[2003-10-28 04:13:33] mattias at segerdahl dot info

This bug only appears when and if you have overlapping virtualhosts in
apache2. Using fqdn's that have IN A or CNAME to an ipaddress on the
server seems to fix it.

This is only an observation that seems to have gotten rid of the
problem for me.

// bad2da



[2003-10-22 04:01:39] mattias at segerdahl dot info

Sniper,

I accidently ran into this bug a few moments ago. I talked to Derick
about it in the channel and we agreed I would do some testing. There
are some particular strange behaviour.

I will try to explain as well as include the files needed to reproduce
this error. But first let me point out one thing that I find really
weird.

This only occurs when the apache server has not been accessed for a
while, if you reload the page directly after you've encountered this
error message, it will work perfectly.

The error message is:

Warning: Unknown(): open_basedir restriction in effect.
File(/var/www/users.bitcom.se/index.php) is not within the allowed
path(s): (/var/www/www.sol.se) in Unknown on line 0
Warning: Unknown(/var/www/users.bitcom.se/index.php): failed to open
stream: Operation not permitted in Unknown on line 0
Warning: (null)(): Failed opening '/var/www/users.bitcom.se/index.php'
for inclusion (include_path='.:/usr/local/php//lib/php') in Unknown on
line 0

My php.ini file http://www.segerdahl.info/25753/php.ini
My httpd.conf file http://www.segerdahl.info/25753/httpd.conf

Server version: Apache/2.0.47
Server built:   Oct 20 2003 18:39:21

PHP 4.3.4RC4 configured as:

'./configure' '--with-apxs2=/usr/local/httpd/bin/apxs'
'--enable-mbstring' '--with-pear' '--with-mysql'
'--enable-magic-quotes' '--with-ftp' '--sysconfdir=/etc/php'
'--with-config-file-path=/etc/php' '--prefix=/usr/local/php/'
'--enable-mbstring' '--with-curl' '--enable-ftp' 

APACHE configured as:
./configure --sysconfdir=/etc/httpd/conf --enable-ssl
--prefix=/usr/local/httpd --enable-modules=dso,most

Contact me on efnet if you need more information... // bad2da



The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/25753

-- 
Edit this bug report at http://bugs.php.net/?id=25753edit=1

#25753 [Com]: php_value|flag / php_admin_* settings leak from vhosts/.htaccess files

[simon at implix dot com]

 ID:   25753
 Comment by:   simon at implix dot com
 Reported By:  [EMAIL PROTECTED]
 Status:   Critical
 Bug Type: Apache related
 Operating System: *
 PHP Version:  4CVS, 5CVS
 New Comment:

We have a similar problem.

We've got overlapping virtualhosts (as they
are required for one of our application)
and sometimes PHP returns register_globals = Off,
even though = On is set in php.ini.

We are using php 4.3.4 + apache 2.0.48.

The problem doesn't exist when we use
php 4.3.1.


Previous Comments:


[2003-10-30 09:35:44] fs at nessus dot at

no thats false.
this bug occours on apache 1.3.x too (tested it with 1.3.27).
i think thats very essential...

greetings,

Florian Schicker
www.nessus.at



[2003-10-28 04:13:33] mattias at segerdahl dot info

This bug only appears when and if you have overlapping virtualhosts in
apache2. Using fqdn's that have IN A or CNAME to an ipaddress on the
server seems to fix it.

This is only an observation that seems to have gotten rid of the
problem for me.

// bad2da



[2003-10-22 04:01:39] mattias at segerdahl dot info

Sniper,

I accidently ran into this bug a few moments ago. I talked to Derick
about it in the channel and we agreed I would do some testing. There
are some particular strange behaviour.

I will try to explain as well as include the files needed to reproduce
this error. But first let me point out one thing that I find really
weird.

This only occurs when the apache server has not been accessed for a
while, if you reload the page directly after you've encountered this
error message, it will work perfectly.

The error message is:

Warning: Unknown(): open_basedir restriction in effect.
File(/var/www/users.bitcom.se/index.php) is not within the allowed
path(s): (/var/www/www.sol.se) in Unknown on line 0
Warning: Unknown(/var/www/users.bitcom.se/index.php): failed to open
stream: Operation not permitted in Unknown on line 0
Warning: (null)(): Failed opening '/var/www/users.bitcom.se/index.php'
for inclusion (include_path='.:/usr/local/php//lib/php') in Unknown on
line 0

My php.ini file http://www.segerdahl.info/25753/php.ini
My httpd.conf file http://www.segerdahl.info/25753/httpd.conf

Server version: Apache/2.0.47
Server built:   Oct 20 2003 18:39:21

PHP 4.3.4RC4 configured as:

'./configure' '--with-apxs2=/usr/local/httpd/bin/apxs'
'--enable-mbstring' '--with-pear' '--with-mysql'
'--enable-magic-quotes' '--with-ftp' '--sysconfdir=/etc/php'
'--with-config-file-path=/etc/php' '--prefix=/usr/local/php/'
'--enable-mbstring' '--with-curl' '--enable-ftp' 

APACHE configured as:
./configure --sysconfdir=/etc/httpd/conf --enable-ssl
--prefix=/usr/local/httpd --enable-modules=dso,most

Contact me on efnet if you need more information... // bad2da



[2003-10-04 18:58:16] [EMAIL PROTECTED]

We do not know what causes this bug or how it can be reliably
reproduced. If you know exactly HOW this can be reproduced, add the
information here. Any other comments will be deleted.




[2003-10-04 00:48:12] [EMAIL PROTECTED]

Description:

If (for example) one virtualhost configuration has
set php_admin_flag register_globals off, in some situations the
setting persists between requests.
- php.ini settings are NOT reset between requests.

1. php.ini has register_globals = On
2. Request is made into www.foobar.com 
(which has php_admin_flag register_globals off)
3. Next request (same apache child) is made into www.barfoo.com (which
does not have the setting)

This applies to ALL php.ini directives.

Some related reports:

bug #6374 (include_path in .htaccess across multiple vhosts)
bug #7174 (Round-robin -like values for include_path)
bug #19292 (Random error: open_basedir restriction..)
bug #21564 (corrupted paths coming to open_basedir)
bug #23462 (php_admin_value open_basedir in httpd.conf)
bug #23580 (Random values for include_path)
bug #24282 (Strange Open Base Dir Restriction Errors)
bug #24974 (random open_basedir errors)
bug #25172 ($HTTP_HOST sometimes empty)

For all who think they're experiencing this problem:
DO NOT add any comments here unless you have some extra information to
give which is not already given in above mentioned reports. 
Any comment which has no extra value will be deleted.







-- 
Edit this bug report at http://bugs.php.net/?id=25753edit=1

#25753 [Com]: php_value|flag / php_admin_* settings leak from vhosts/.htaccess files

[butch at infowest dot com]

 ID:   25753
 Comment by:   butch at infowest dot com
 Reported By:  [EMAIL PROTECTED]
 Status:   Critical
 Bug Type: Apache related
 Operating System: *
 PHP Version:  4CVS, 5CVS
 New Comment:

For me, I ended up downgrading to 4.3.1 and that seemed to resolve my
issues. Must be something that changed after 4.3.1 which is causing the
issues.


Previous Comments:


[2003-10-30 09:35:44] fs at nessus dot at

no thats false.
this bug occours on apache 1.3.x too (tested it with 1.3.27).
i think thats very essential...

greetings,

Florian Schicker
www.nessus.at



[2003-10-28 04:13:33] mattias at segerdahl dot info

This bug only appears when and if you have overlapping virtualhosts in
apache2. Using fqdn's that have IN A or CNAME to an ipaddress on the
server seems to fix it.

This is only an observation that seems to have gotten rid of the
problem for me.

// bad2da



[2003-10-22 04:01:39] mattias at segerdahl dot info

Sniper,

I accidently ran into this bug a few moments ago. I talked to Derick
about it in the channel and we agreed I would do some testing. There
are some particular strange behaviour.

I will try to explain as well as include the files needed to reproduce
this error. But first let me point out one thing that I find really
weird.

This only occurs when the apache server has not been accessed for a
while, if you reload the page directly after you've encountered this
error message, it will work perfectly.

The error message is:

Warning: Unknown(): open_basedir restriction in effect.
File(/var/www/users.bitcom.se/index.php) is not within the allowed
path(s): (/var/www/www.sol.se) in Unknown on line 0
Warning: Unknown(/var/www/users.bitcom.se/index.php): failed to open
stream: Operation not permitted in Unknown on line 0
Warning: (null)(): Failed opening '/var/www/users.bitcom.se/index.php'
for inclusion (include_path='.:/usr/local/php//lib/php') in Unknown on
line 0

My php.ini file http://www.segerdahl.info/25753/php.ini
My httpd.conf file http://www.segerdahl.info/25753/httpd.conf

Server version: Apache/2.0.47
Server built:   Oct 20 2003 18:39:21

PHP 4.3.4RC4 configured as:

'./configure' '--with-apxs2=/usr/local/httpd/bin/apxs'
'--enable-mbstring' '--with-pear' '--with-mysql'
'--enable-magic-quotes' '--with-ftp' '--sysconfdir=/etc/php'
'--with-config-file-path=/etc/php' '--prefix=/usr/local/php/'
'--enable-mbstring' '--with-curl' '--enable-ftp' 

APACHE configured as:
./configure --sysconfdir=/etc/httpd/conf --enable-ssl
--prefix=/usr/local/httpd --enable-modules=dso,most

Contact me on efnet if you need more information... // bad2da



[2003-10-04 18:58:16] [EMAIL PROTECTED]

We do not know what causes this bug or how it can be reliably
reproduced. If you know exactly HOW this can be reproduced, add the
information here. Any other comments will be deleted.




[2003-10-04 00:48:12] [EMAIL PROTECTED]

Description:

If (for example) one virtualhost configuration has
set php_admin_flag register_globals off, in some situations the
setting persists between requests.
- php.ini settings are NOT reset between requests.

1. php.ini has register_globals = On
2. Request is made into www.foobar.com 
(which has php_admin_flag register_globals off)
3. Next request (same apache child) is made into www.barfoo.com (which
does not have the setting)

This applies to ALL php.ini directives.

Some related reports:

bug #6374 (include_path in .htaccess across multiple vhosts)
bug #7174 (Round-robin -like values for include_path)
bug #19292 (Random error: open_basedir restriction..)
bug #21564 (corrupted paths coming to open_basedir)
bug #23462 (php_admin_value open_basedir in httpd.conf)
bug #23580 (Random values for include_path)
bug #24282 (Strange Open Base Dir Restriction Errors)
bug #24974 (random open_basedir errors)
bug #25172 ($HTTP_HOST sometimes empty)

For all who think they're experiencing this problem:
DO NOT add any comments here unless you have some extra information to
give which is not already given in above mentioned reports. 
Any comment which has no extra value will be deleted.







-- 
Edit this bug report at http://bugs.php.net/?id=25753edit=1

#25753 [Com]: php_value|flag / php_admin_* settings leak from vhosts/.htaccess files

[fs at nessus dot at]

 ID:   25753
 Comment by:   fs at nessus dot at
 Reported By:  [EMAIL PROTECTED]
 Status:   Critical
 Bug Type: Apache related
 Operating System: *
 PHP Version:  4CVS, 5CVS
 New Comment:

no thats false.
this bug occours on apache 1.3.x too (tested it with 1.3.27).
i think thats very essential...

greetings,

Florian Schicker
www.nessus.at


Previous Comments:


[2003-10-28 04:13:33] mattias at segerdahl dot info

This bug only appears when and if you have overlapping virtualhosts in
apache2. Using fqdn's that have IN A or CNAME to an ipaddress on the
server seems to fix it.

This is only an observation that seems to have gotten rid of the
problem for me.

// bad2da



[2003-10-22 04:01:39] mattias at segerdahl dot info

Sniper,

I accidently ran into this bug a few moments ago. I talked to Derick
about it in the channel and we agreed I would do some testing. There
are some particular strange behaviour.

I will try to explain as well as include the files needed to reproduce
this error. But first let me point out one thing that I find really
weird.

This only occurs when the apache server has not been accessed for a
while, if you reload the page directly after you've encountered this
error message, it will work perfectly.

The error message is:

Warning: Unknown(): open_basedir restriction in effect.
File(/var/www/users.bitcom.se/index.php) is not within the allowed
path(s): (/var/www/www.sol.se) in Unknown on line 0
Warning: Unknown(/var/www/users.bitcom.se/index.php): failed to open
stream: Operation not permitted in Unknown on line 0
Warning: (null)(): Failed opening '/var/www/users.bitcom.se/index.php'
for inclusion (include_path='.:/usr/local/php//lib/php') in Unknown on
line 0

My php.ini file http://www.segerdahl.info/25753/php.ini
My httpd.conf file http://www.segerdahl.info/25753/httpd.conf

Server version: Apache/2.0.47
Server built:   Oct 20 2003 18:39:21

PHP 4.3.4RC4 configured as:

'./configure' '--with-apxs2=/usr/local/httpd/bin/apxs'
'--enable-mbstring' '--with-pear' '--with-mysql'
'--enable-magic-quotes' '--with-ftp' '--sysconfdir=/etc/php'
'--with-config-file-path=/etc/php' '--prefix=/usr/local/php/'
'--enable-mbstring' '--with-curl' '--enable-ftp' 

APACHE configured as:
./configure --sysconfdir=/etc/httpd/conf --enable-ssl
--prefix=/usr/local/httpd --enable-modules=dso,most

Contact me on efnet if you need more information... // bad2da



[2003-10-04 18:58:16] [EMAIL PROTECTED]

We do not know what causes this bug or how it can be reliably
reproduced. If you know exactly HOW this can be reproduced, add the
information here. Any other comments will be deleted.




[2003-10-04 00:48:12] [EMAIL PROTECTED]

Description:

If (for example) one virtualhost configuration has
set php_admin_flag register_globals off, in some situations the
setting persists between requests.
- php.ini settings are NOT reset between requests.

1. php.ini has register_globals = On
2. Request is made into www.foobar.com 
(which has php_admin_flag register_globals off)
3. Next request (same apache child) is made into www.barfoo.com (which
does not have the setting)

This applies to ALL php.ini directives.

Some related reports:

bug #6374 (include_path in .htaccess across multiple vhosts)
bug #7174 (Round-robin -like values for include_path)
bug #19292 (Random error: open_basedir restriction..)
bug #21564 (corrupted paths coming to open_basedir)
bug #23462 (php_admin_value open_basedir in httpd.conf)
bug #23580 (Random values for include_path)
bug #24282 (Strange Open Base Dir Restriction Errors)
bug #24974 (random open_basedir errors)
bug #25172 ($HTTP_HOST sometimes empty)

For all who think they're experiencing this problem:
DO NOT add any comments here unless you have some extra information to
give which is not already given in above mentioned reports. 
Any comment which has no extra value will be deleted.







-- 
Edit this bug report at http://bugs.php.net/?id=25753edit=1

#25753 [Com]: php_value|flag / php_admin_* settings leak from vhosts/.htaccess files

[mattias at segerdahl dot info]

 ID:   25753
 Comment by:   mattias at segerdahl dot info
 Reported By:  [EMAIL PROTECTED]
 Status:   Critical
 Bug Type: Apache related
 Operating System: *
 PHP Version:  4CVS, 5CVS
 New Comment:

This bug only appears when and if you have overlapping virtualhosts in
apache2. Using fqdn's that have IN A or CNAME to an ipaddress on the
server seems to fix it.

This is only an observation that seems to have gotten rid of the
problem for me.

// bad2da


Previous Comments:


[2003-10-26 09:58:23] thorv at tiscali dot no

One virtual server (without .htaccess) sometimes gives this warning:
---
PHP Warning:  head(): Failed opening 'themes/theme.php' for inclusion
(include_path='/first/path:/second/path') in /header.php on line 31
---
The path for this virtual server should have been the php.ini path
(include_path = .:/usr/lib/php/), but obviously another virtual
server has 'leaked' a local path.

The content of the offending virtual hosts .htaccess file is:
   php_value include_path /first/path:/second/path
   php_flag register_globals off

I can sometimes (but not reliably) reproduce the error by accessing the
offending virtual host a few times, and then access the site that
gives the error message. 

Have had no problems prior to Apache 2.0.47 (reported bug#24120), PHP
4.3.3 on Mandrake 9.2.



[2003-10-22 04:01:39] mattias at segerdahl dot info

Sniper,

I accidently ran into this bug a few moments ago. I talked to Derick
about it in the channel and we agreed I would do some testing. There
are some particular strange behaviour.

I will try to explain as well as include the files needed to reproduce
this error. But first let me point out one thing that I find really
weird.

This only occurs when the apache server has not been accessed for a
while, if you reload the page directly after you've encountered this
error message, it will work perfectly.

The error message is:

Warning: Unknown(): open_basedir restriction in effect.
File(/var/www/users.bitcom.se/index.php) is not within the allowed
path(s): (/var/www/www.sol.se) in Unknown on line 0
Warning: Unknown(/var/www/users.bitcom.se/index.php): failed to open
stream: Operation not permitted in Unknown on line 0
Warning: (null)(): Failed opening '/var/www/users.bitcom.se/index.php'
for inclusion (include_path='.:/usr/local/php//lib/php') in Unknown on
line 0

My php.ini file http://www.segerdahl.info/25753/php.ini
My httpd.conf file http://www.segerdahl.info/25753/httpd.conf

Server version: Apache/2.0.47
Server built:   Oct 20 2003 18:39:21

PHP 4.3.4RC4 configured as:

'./configure' '--with-apxs2=/usr/local/httpd/bin/apxs'
'--enable-mbstring' '--with-pear' '--with-mysql'
'--enable-magic-quotes' '--with-ftp' '--sysconfdir=/etc/php'
'--with-config-file-path=/etc/php' '--prefix=/usr/local/php/'
'--enable-mbstring' '--with-curl' '--enable-ftp' 

APACHE configured as:
./configure --sysconfdir=/etc/httpd/conf --enable-ssl
--prefix=/usr/local/httpd --enable-modules=dso,most

Contact me on efnet if you need more information... // bad2da



[2003-10-04 18:58:16] [EMAIL PROTECTED]

We do not know what causes this bug or how it can be reliably
reproduced. If you know exactly HOW this can be reproduced, add the
information here. Any other comments will be deleted.




[2003-10-04 00:48:12] [EMAIL PROTECTED]

Description:

If (for example) one virtualhost configuration has
set php_admin_flag register_globals off, in some situations the
setting persists between requests.
- php.ini settings are NOT reset between requests.

1. php.ini has register_globals = On
2. Request is made into www.foobar.com 
(which has php_admin_flag register_globals off)
3. Next request (same apache child) is made into www.barfoo.com (which
does not have the setting)

This applies to ALL php.ini directives.

Some related reports:

bug #6374 (include_path in .htaccess across multiple vhosts)
bug #7174 (Round-robin -like values for include_path)
bug #19292 (Random error: open_basedir restriction..)
bug #21564 (corrupted paths coming to open_basedir)
bug #23462 (php_admin_value open_basedir in httpd.conf)
bug #23580 (Random values for include_path)
bug #24282 (Strange Open Base Dir Restriction Errors)
bug #24974 (random open_basedir errors)
bug #25172 ($HTTP_HOST sometimes empty)

For all who think they're experiencing this problem:
DO NOT add any comments here unless you have some extra information to
give which is not already given in above mentioned reports. 
Any comment which has no extra value will be deleted.







-- 
Edit this bug report at http://bugs.php.net/?id=25753edit=1

#25753 [Com]: php_value|flag / php_admin_* settings leak from vhosts/.htaccess files

[thorv at tiscali dot no]

 ID:   25753
 Comment by:   thorv at tiscali dot no
 Reported By:  [EMAIL PROTECTED]
 Status:   Critical
 Bug Type: Apache related
 Operating System: *
 PHP Version:  4CVS, 5CVS
 New Comment:

One virtual server (without .htaccess) sometimes gives this warning:
---
PHP Warning:  head(): Failed opening 'themes/theme.php' for inclusion
(include_path='/first/path:/second/path') in /header.php on line 31
---
The path for this virtual server should have been the php.ini path
(include_path = .:/usr/lib/php/), but obviously another virtual
server has 'leaked' a local path.

The content of the offending virtual hosts .htaccess file is:
   php_value include_path /first/path:/second/path
   php_flag register_globals off

I can sometimes (but not reliably) reproduce the error by accessing the
offending virtual host a few times, and then access the site that
gives the error message. 

Have had no problems prior to Apache 2.0.47 (reported bug#24120), PHP
4.3.3 on Mandrake 9.2.


Previous Comments:


[2003-10-24 22:46:18] clemmon at eventerra dot com

I'm not sure if I am on to something or not, so I will pass this info
on to those that obviously know more than me.  I am getting the
open_basedir restriction in effect in Moregroupware.  It appears that
the error consistantly appears at lines with the following;
require('mime_mapping.php').  These calls appear in packages
horde.mime and horde.mime.viewer.  The rest of Moregroupware appears to
function without issue.  I hope this helps and does not clutter the
issue.



[2003-10-22 04:01:39] mattias at segerdahl dot info

Sniper,

I accidently ran into this bug a few moments ago. I talked to Derick
about it in the channel and we agreed I would do some testing. There
are some particular strange behaviour.

I will try to explain as well as include the files needed to reproduce
this error. But first let me point out one thing that I find really
weird.

This only occurs when the apache server has not been accessed for a
while, if you reload the page directly after you've encountered this
error message, it will work perfectly.

The error message is:

Warning: Unknown(): open_basedir restriction in effect.
File(/var/www/users.bitcom.se/index.php) is not within the allowed
path(s): (/var/www/www.sol.se) in Unknown on line 0
Warning: Unknown(/var/www/users.bitcom.se/index.php): failed to open
stream: Operation not permitted in Unknown on line 0
Warning: (null)(): Failed opening '/var/www/users.bitcom.se/index.php'
for inclusion (include_path='.:/usr/local/php//lib/php') in Unknown on
line 0

My php.ini file http://www.segerdahl.info/25753/php.ini
My httpd.conf file http://www.segerdahl.info/25753/httpd.conf

Server version: Apache/2.0.47
Server built:   Oct 20 2003 18:39:21

PHP 4.3.4RC4 configured as:

'./configure' '--with-apxs2=/usr/local/httpd/bin/apxs'
'--enable-mbstring' '--with-pear' '--with-mysql'
'--enable-magic-quotes' '--with-ftp' '--sysconfdir=/etc/php'
'--with-config-file-path=/etc/php' '--prefix=/usr/local/php/'
'--enable-mbstring' '--with-curl' '--enable-ftp' 

APACHE configured as:
./configure --sysconfdir=/etc/httpd/conf --enable-ssl
--prefix=/usr/local/httpd --enable-modules=dso,most

Contact me on efnet if you need more information... // bad2da



[2003-10-04 18:58:16] [EMAIL PROTECTED]

We do not know what causes this bug or how it can be reliably
reproduced. If you know exactly HOW this can be reproduced, add the
information here. Any other comments will be deleted.




[2003-10-04 00:48:12] [EMAIL PROTECTED]

Description:

If (for example) one virtualhost configuration has
set php_admin_flag register_globals off, in some situations the
setting persists between requests.
- php.ini settings are NOT reset between requests.

1. php.ini has register_globals = On
2. Request is made into www.foobar.com 
(which has php_admin_flag register_globals off)
3. Next request (same apache child) is made into www.barfoo.com (which
does not have the setting)

This applies to ALL php.ini directives.

Some related reports:

bug #6374 (include_path in .htaccess across multiple vhosts)
bug #7174 (Round-robin -like values for include_path)
bug #19292 (Random error: open_basedir restriction..)
bug #21564 (corrupted paths coming to open_basedir)
bug #23462 (php_admin_value open_basedir in httpd.conf)
bug #23580 (Random values for include_path)
bug #24282 (Strange Open Base Dir Restriction Errors)
bug #24974 (random open_basedir errors)
bug #25172 ($HTTP_HOST sometimes empty)

For all who think they're experiencing this problem:
DO NOT add any comments here unless you have some extra information to
give which is not already given in above mentioned 

#25753 [Com]: php_value|flag / php_admin_* settings leak from vhosts/.htaccess files

[clemmon at eventerra dot com]

 ID:   25753
 Comment by:   clemmon at eventerra dot com
 Reported By:  [EMAIL PROTECTED]
 Status:   Critical
 Bug Type: Apache related
 Operating System: *
 PHP Version:  4CVS, 5CVS
 New Comment:

I'm not sure if I am on to something or not, so I will pass this info
on to those that obviously know more than me.  I am getting the
open_basedir restriction in effect in Moregroupware.  It appears that
the error consistantly appears at lines with the following;
require('mime_mapping.php').  These calls appear in packages
horde.mime and horde.mime.viewer.  The rest of Moregroupware appears to
function without issue.  I hope this helps and does not clutter the
issue.


Previous Comments:


[2003-10-22 04:01:39] mattias at segerdahl dot info

Sniper,

I accidently ran into this bug a few moments ago. I talked to Derick
about it in the channel and we agreed I would do some testing. There
are some particular strange behaviour.

I will try to explain as well as include the files needed to reproduce
this error. But first let me point out one thing that I find really
weird.

This only occurs when the apache server has not been accessed for a
while, if you reload the page directly after you've encountered this
error message, it will work perfectly.

The error message is:

Warning: Unknown(): open_basedir restriction in effect.
File(/var/www/users.bitcom.se/index.php) is not within the allowed
path(s): (/var/www/www.sol.se) in Unknown on line 0
Warning: Unknown(/var/www/users.bitcom.se/index.php): failed to open
stream: Operation not permitted in Unknown on line 0
Warning: (null)(): Failed opening '/var/www/users.bitcom.se/index.php'
for inclusion (include_path='.:/usr/local/php//lib/php') in Unknown on
line 0

My php.ini file http://www.segerdahl.info/25753/php.ini
My httpd.conf file http://www.segerdahl.info/25753/httpd.conf

Server version: Apache/2.0.47
Server built:   Oct 20 2003 18:39:21

PHP 4.3.4RC4 configured as:

'./configure' '--with-apxs2=/usr/local/httpd/bin/apxs'
'--enable-mbstring' '--with-pear' '--with-mysql'
'--enable-magic-quotes' '--with-ftp' '--sysconfdir=/etc/php'
'--with-config-file-path=/etc/php' '--prefix=/usr/local/php/'
'--enable-mbstring' '--with-curl' '--enable-ftp' 

APACHE configured as:
./configure --sysconfdir=/etc/httpd/conf --enable-ssl
--prefix=/usr/local/httpd --enable-modules=dso,most

Contact me on efnet if you need more information... // bad2da



[2003-10-04 18:58:16] [EMAIL PROTECTED]

We do not know what causes this bug or how it can be reliably
reproduced. If you know exactly HOW this can be reproduced, add the
information here. Any other comments will be deleted.




[2003-10-04 00:48:12] [EMAIL PROTECTED]

Description:

If (for example) one virtualhost configuration has
set php_admin_flag register_globals off, in some situations the
setting persists between requests.
- php.ini settings are NOT reset between requests.

1. php.ini has register_globals = On
2. Request is made into www.foobar.com 
(which has php_admin_flag register_globals off)
3. Next request (same apache child) is made into www.barfoo.com (which
does not have the setting)

This applies to ALL php.ini directives.

Some related reports:

bug #6374 (include_path in .htaccess across multiple vhosts)
bug #7174 (Round-robin -like values for include_path)
bug #19292 (Random error: open_basedir restriction..)
bug #21564 (corrupted paths coming to open_basedir)
bug #23462 (php_admin_value open_basedir in httpd.conf)
bug #23580 (Random values for include_path)
bug #24282 (Strange Open Base Dir Restriction Errors)
bug #24974 (random open_basedir errors)
bug #25172 ($HTTP_HOST sometimes empty)

For all who think they're experiencing this problem:
DO NOT add any comments here unless you have some extra information to
give which is not already given in above mentioned reports. 
Any comment which has no extra value will be deleted.







-- 
Edit this bug report at http://bugs.php.net/?id=25753edit=1

#25753 [Com]: php_value|flag / php_admin_* settings leak from vhosts/.htaccess files

[mattias at segerdahl dot info]

 ID:   25753
 Comment by:   mattias at segerdahl dot info
 Reported By:  [EMAIL PROTECTED]
 Status:   Critical
 Bug Type: Apache related
 Operating System: *
 PHP Version:  4CVS, 5CVS
 New Comment:

Sniper,

I accidently ran into this bug a few moments ago. I talked to Derick
about it in the channel and we agreed I would do some testing. There
are some particular strange behaviour.

I will try to explain as well as include the files needed to reproduce
this error. But first let me point out one thing that I find really
weird.

This only occurs when the apache server has not been accessed for a
while, if you reload the page directly after you've encountered this
error message, it will work perfectly.

The error message is:

Warning: Unknown(): open_basedir restriction in effect.
File(/var/www/users.bitcom.se/index.php) is not within the allowed
path(s): (/var/www/www.sol.se) in Unknown on line 0
Warning: Unknown(/var/www/users.bitcom.se/index.php): failed to open
stream: Operation not permitted in Unknown on line 0
Warning: (null)(): Failed opening '/var/www/users.bitcom.se/index.php'
for inclusion (include_path='.:/usr/local/php//lib/php') in Unknown on
line 0

My php.ini file http://www.segerdahl.info/25753/php.ini
My httpd.conf file http://www.segerdahl.info/25753/httpd.conf

Server version: Apache/2.0.47
Server built:   Oct 20 2003 18:39:21

PHP 4.3.4RC4 configured as:

'./configure' '--with-apxs2=/usr/local/httpd/bin/apxs'
'--enable-mbstring' '--with-pear' '--with-mysql'
'--enable-magic-quotes' '--with-ftp' '--sysconfdir=/etc/php'
'--with-config-file-path=/etc/php' '--prefix=/usr/local/php/'
'--enable-mbstring' '--with-curl' '--enable-ftp' 

APACHE configured as:
./configure --sysconfdir=/etc/httpd/conf --enable-ssl
--prefix=/usr/local/httpd --enable-modules=dso,most

Contact me on efnet if you need more information... // bad2da


Previous Comments:


[2003-10-04 18:58:16] [EMAIL PROTECTED]

We do not know what causes this bug or how it can be reliably
reproduced. If you know exactly HOW this can be reproduced, add the
information here. Any other comments will be deleted.




[2003-10-04 00:48:12] [EMAIL PROTECTED]

Description:

If (for example) one virtualhost configuration has
set php_admin_flag register_globals off, in some situations the
setting persists between requests.
- php.ini settings are NOT reset between requests.

1. php.ini has register_globals = On
2. Request is made into www.foobar.com 
(which has php_admin_flag register_globals off)
3. Next request (same apache child) is made into www.barfoo.com (which
does not have the setting)

This applies to ALL php.ini directives.

Some related reports:

bug #6374 (include_path in .htaccess across multiple vhosts)
bug #7174 (Round-robin -like values for include_path)
bug #19292 (Random error: open_basedir restriction..)
bug #21564 (corrupted paths coming to open_basedir)
bug #23462 (php_admin_value open_basedir in httpd.conf)
bug #23580 (Random values for include_path)
bug #24282 (Strange Open Base Dir Restriction Errors)
bug #24974 (random open_basedir errors)
bug #25172 ($HTTP_HOST sometimes empty)

For all who think they're experiencing this problem:
DO NOT add any comments here unless you have some extra information to
give which is not already given in above mentioned reports. 
Any comment which has no extra value will be deleted.







-- 
Edit this bug report at http://bugs.php.net/?id=25753edit=1

#25753 [Com]: php_value|flag / php_admin_* settings leak from vhosts/.htaccess files

[dave at puseyuk dot co dot uk]

 ID:   25753
 Comment by:   dave at puseyuk dot co dot uk
 Reported By:  [EMAIL PROTECTED]
 Status:   Critical
 Bug Type: Apache related
 Operating System: *
 PHP Version:  4CVS, 5CVS
 New Comment:

Why not just put

php_admin_flag register_globals on

into the www.barfoo.com directives.


Previous Comments:


[2003-10-04 18:58:16] [EMAIL PROTECTED]

We do not know what causes this bug or how it can be reliably
reproduced. If you know exactly HOW this can be reproduced, add the
information here. Any other comments will be deleted.




[2003-10-04 00:48:12] [EMAIL PROTECTED]

Description:

If (for example) one virtualhost configuration has
set php_admin_flag register_globals off, in some situations the
setting persists between requests.
- php.ini settings are NOT reset between requests.

1. php.ini has register_globals = On
2. Request is made into www.foobar.com 
(which has php_admin_flag register_globals off)
3. Next request (same apache child) is made into www.barfoo.com (which
does not have the setting)

This applies to ALL php.ini directives.

Some related reports:

bug #6374 (include_path in .htaccess across multiple vhosts)
bug #7174 (Round-robin -like values for include_path)
bug #19292 (Random error: open_basedir restriction..)
bug #21564 (corrupted paths coming to open_basedir)
bug #23462 (php_admin_value open_basedir in httpd.conf)
bug #23580 (Random values for include_path)
bug #24282 (Strange Open Base Dir Restriction Errors)
bug #24974 (random open_basedir errors)
bug #25172 ($HTTP_HOST sometimes empty)

For all who think they're experiencing this problem:
DO NOT add any comments here unless you have some extra information to
give which is not already given in above mentioned reports. 
Any comment which has no extra value will be deleted.







-- 
Edit this bug report at http://bugs.php.net/?id=25753edit=1

#25753 [Com]: php_value|flag / php_admin_* settings leak from vhosts/.htaccess files

[mazurek at shw-networks dot de]

 ID:   25753
 Comment by:   mazurek at shw-networks dot de
 Reported By:  [EMAIL PROTECTED]
 Status:   Critical
 Bug Type: Apache related
 Operating System: *
 PHP Version:  4CVS, 5CVS
 New Comment:

Hi Sniper,

do you have any plan, what causes this errors? Do you want me to test
the newest RC1? 
What can I do to help you solving the Problems ? Our customers are
getting very unhappy.(because of the open basedir errors).

Do you need access to our Systems ? This Bug seems to be very hard to
reproduce, because it never appears diretly after an apache restart.

Daniel


Previous Comments:


[2003-10-04 00:48:12] [EMAIL PROTECTED]

Description:

If (for example) one virtualhost configuration has
set php_admin_flag register_globals off, in some situations the
setting persists between requests.
- php.ini settings are NOT reset between requests.

1. php.ini has register_globals = On
2. Request is made into www.foobar.com 
(which has php_admin_flag register_globals off)
3. Next request (same apache child) is made into www.barfoo.com (which
does not have the setting)

This applies to ALL php.ini directives.

Some related reports:

bug #6374 (include_path in .htaccess across multiple vhosts)
bug #7174 (Round-robin -like values for include_path)
bug #19292 (Random error: open_basedir restriction..)
bug #21564 (corrupted paths coming to open_basedir)
bug #23462 (php_admin_value open_basedir in httpd.conf)
bug #23580 (Random values for include_path)
bug #24282 (Strange Open Base Dir Restriction Errors)
bug #24974 (random open_basedir errors)
bug #25172 ($HTTP_HOST sometimes empty)

For all who think they're experiencing this problem:
DO NOT add any comments here unless you have some extra information to
give which is not already given in above mentioned reports. 
Any comment which has no extra value will be deleted.







-- 
Edit this bug report at http://bugs.php.net/?id=25753edit=1