From: [EMAIL PROTECTED] Operating system: linux PHP version: 4.1.0 PHP Bug Type: Unknown/Other Function Bug description: security problem when handling ~user
Ok.. this is not exactly a 'bug', but rather something that seems like a security design problem. I already mailed [EMAIL PROTECTED], cause I think this falls somehow between the two, but I am sending it to the PHP team as well. I hope this is the right address to mail it to, if not, please tell me where to send it to, or forward it to whoever needs to read it. anyway, here goes: ------------------------------------------------------------ Hello, I have recently build a page under a certain linux host running Apache + PHP, under a regular user I have on that machine (I do not have root access or apache administration access - it's simply an educational computer with hundreds of accounts, all allowing ~user under the public_html directory). Now, what I have noticed is interesting and troubling alltogether, unless I am missing some major configuration bit (though I did look throuhg the httpd.conf AND searched the site documents for it). All the PHP scripts I am running, are running using the Apache:Apache user and group, instead of using MyUser:MyGroup. This has several security implications: 1. I can upload throuhg it a lot more files to my home directory than my quota allows. 2. I need to give all the data files I want to update a 666 permissions, and all upload directories 777, so the apache user can write to the, which risks my files. 3. Even if I build the scrips so they will create the files under the apache:apache user (so a simple 644 is enough for the file to be updated by the PHP, thuogh then I can't update it manually), then every other user in the system can build a php script that erases or changes all my files. 4. _I_ can change the contents of every other file any user have put in his home directory with write permissions to the apache server. 5. I can change/erase many default installation files of the apache server that were installed as apache:apache. The solution to all this is obviously very very simple. The mapping of the UserDir should make sure that once a directory is accessed using ~, the apache httpd will open a new instance of the httpd, running with euid and egid of the user appearing after the ~, that will access his homepage. However, I was unable to find such a configuration option. So, I would like to know if I have missed something out (as did the administrator of the computer I am using), and this is, indeed, configurable, or whether this is, in fact, a major security problem. Thanks in advance for the infromation, Ofer Maor Senior Security Consultant eDvice Security Services. -- Edit bug report at http://bugs.php.net/?id=16126&edit=1 -- Fixed in CVS: http://bugs.php.net/fix.php?id=16126&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=16126&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=16126&r=needtrace Try newer version: http://bugs.php.net/fix.php?id=16126&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=16126&r=support Expected behavior: http://bugs.php.net/fix.php?id=16126&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=16126&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=16126&r=submittedtwice
