[Bug 56084] New: Apache ignores access control when using FastCGI

[bugzilla]

https://issues.apache.org/bugzilla/show_bug.cgi?id=56084

            Bug ID: 56084
           Summary: Apache ignores access control when using FastCGI
           Product: Apache httpd-2
           Version: 2.2.22
          Hardware: PC
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_access
          Assignee: bugs@httpd.apache.org
          Reporter: ha...@senseofsecurity.com.au

With the following configuration: 
Apache <VirtualHost *:80>...
        <Files wp-login.php>
                Order Deny,Allow
                Deny from all
        </Files>
</VirtualHost>

The following file is not accessible:
http://127.0.0.1/wp-login.php
As a forbidden error message by Apache is returned.

If a user or attacker accesses the following URL, the access controls by Apache
are completely ignored:
http://127.0.0.1/fcgi-php-fpm/wp-login.php
In the above case, wp-login.php is executed by PHP and a login screen is shown.

-----
In another scenario where directory-wide permissions are set to disable access,
the following configuration is used:
<VirtualHost *:80>
        <Directory /var/www/>
          <Files *.php>
              SetHandler fcgi-php-fpm
          </Files>
                Order Deny,Allow
                Deny from all
        </Directory>               
</VirtualHost>
This configuration denies access to anyone trying to access the web server's
document root.

The following URL:
http://127.0.0.1/somefile.php
Returns a forbidden error message by Apache.

However, the following URL renders:
http://127.0.0.1/fcgi-php-fpm/somefile.php

This all seem very strange, despite that PHP-FPM and Apache are 2 separate
packages, services, applications, etc.


Please note the following configuration within Apache:
conf.d/php5-fpm:Action fcgi-php-fpm /fcgi-php-fpm virtual
conf.d/php5-fpm:Alias /fcgi-php-fpm /fcgi-php-fpm
conf.d/php5-fpm:FastCgiExternalServer /fcgi-php-fpm -socket
/var/run/php5-fpm.sock -pass-header Authorization
sites-available/default:              SetHandler fcgi-php-fpm
sites-enabled/000-default:            SetHandler fcgi-php-fpm


Is it somehow possible to disable direct access to the Alias /fcgi-php-fpm ?


Note: This has been reported to PHP as well as it's unclear whether the bug is
in Apache or PHP, despite that it looks like it's most likely an Apache bug.


The main problem is that you can bypass the access controls in place by Apache
by prepending the Alias "/fcgi-php-fpm/" to a PHP file.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org
For additional commands, e-mail: bugs-h...@httpd.apache.org