[suPHP] Security Update Released
sebastian at marsching.com
Mon May 20 18:39:42 CEST 2013
I just released suPHP 0.7.2, which fixes a security issue present in
suPHP 0.7.0 and 0.7.1.
The bug existed in the routine handling the display of PHP source files:
When the suPHP_PHPPath was set, mod_suphp would use the specified PHP
executable to pretty-print PHP source files (MIME type
x-httpd-php-source or application/x-httpd-php-source).
However, it would not sanitize the environment. Thus a user that was
allowed to use the SetEnv directive in a .htaccess file (AllowOverride
FileInfo) could make PHP load a malicious configuration file (e.g.
loading malicious extensions).
As the PHP process for highlighting the source file was run with the
privileges of the user Apache HTTPd was running as, a local attacker
could probably execute arbitrary code with the privileges of this user.
This update fixes the problem by cleaning the environment before calling
the PHP executable for printing the source code.
I want to thank John Lightsey for reporting this bug.
You can avoid this issue without upgrading by making sure that
suPHP_PHPPath is not set.
There is a second change in suPHP 0.7.2, which - while not having any
direct security implications - addresses an issue, where some unwanted
behavior might be exploited:
suPHP offers to specify a PHP configuration file by using the
suPHP_ConfigPath directive. For using this directive in a .htaccess
file, AllowOverride Options must be set.
On the other hand, a user could get the same result by directly setting
the PHPRC environment variable using the SetEnv directive. This
directive however requires AllowOverride FileInfo.
Therefore an administrator setting AllowOverride FileInfo but not
AllowOverride Options could have been tricked into believing that a user
could not specify a configuration file, while in fact she could.
This is fixed now, because now suPHP will ignore the PHPRC environment
variable and only use the SUPHP_PHP_CONFIG environment variable. This
variable however, will always be overwritten by mod_suphp, even if it
has been set using the SetEnv directive.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4261 bytes
Desc: S/MIME Kryptografische Unterschrift
More information about the suPHP