[suPHP] Security Update Released

Sebastian Marsching sebastian at marsching.com
Mon May 20 18:39:42 CEST 2013


I just released suPHP 0.7.2, which fixes a security issue present in 
suPHP 0.7.0 and 0.7.1.

The bug existed in the routine handling the display of PHP source files:

When the suPHP_PHPPath was set, mod_suphp would use the specified PHP 
executable to pretty-print PHP source files (MIME type 
x-httpd-php-source or application/x-httpd-php-source).

However, it would not sanitize the environment. Thus a user that was 
allowed to use the SetEnv directive in a .htaccess file (AllowOverride 
FileInfo) could make PHP load a malicious configuration file (e.g. 
loading malicious extensions).

As the PHP process for highlighting the source file was run with the 
privileges of the user Apache HTTPd was running as, a local attacker 
could probably execute arbitrary code with the privileges of this user.

This update fixes the problem by cleaning the environment before calling 
the PHP executable for printing the source code.

I want to thank John Lightsey for reporting this bug.

You can avoid this issue without upgrading by making sure that 
suPHP_PHPPath is not set.

There is a second change in suPHP 0.7.2, which - while not having any 
direct security implications - addresses an issue, where some unwanted 
behavior might be exploited:

suPHP offers to specify a PHP configuration file by using the 
suPHP_ConfigPath directive. For using this directive in a .htaccess 
file, AllowOverride Options must be set.

On the other hand, a user could get the same result by directly setting 
the PHPRC environment variable using the SetEnv directive. This 
directive however requires AllowOverride FileInfo.

Therefore an administrator setting AllowOverride FileInfo but not 
AllowOverride Options could have been tricked into believing that a user 
could not specify a configuration file, while in fact she could.

This is fixed now, because now suPHP will ignore the PHPRC environment 
variable and only use the SUPHP_PHP_CONFIG environment variable. This 
variable however, will always be overwritten by mod_suphp, even if it 
has been set using the SetEnv directive.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4261 bytes
Desc: S/MIME Kryptografische Unterschrift
URL: <http://lists.marsching.com/pipermail/suphp/attachments/20130520/c1287c83/attachment.bin>

More information about the suPHP mailing list