PHP :: Bug #66600 :: FPM Module is Exposed in URL (/fcgi-php-fpm/)

Bug #66600

FPM Module is Exposed in URL (/fcgi-php-fpm/)

Submitted:

2014-01-29 00:01 UTC

Modified:

2014-01-29 04:30 UTC

Votes:	1
Avg. Score:	3.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	1 (100.0%)

From:

hansv at senseofsecurity dot com dot au

Assigned:

Status:

Closed

Package:

FPM related

PHP Version:

Irrelevant

OS:

Debian

Private report:

CVE-ID:

None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	hansv at senseofsecurity dot com dot au
New email:
PHP Version:		OS:

New/Additional Comment:

[2014-01-29 00:01 UTC] hansv at senseofsecurity dot com dot au

Description:
------------
When a file is requested on a website by a user, it is normally done as follows:
http://127.0.0.1/somefile.php

During a review of logs, it was discovered that the same file can be called:
http://127.0.0.1/fcgi-php-fpm/somefile.php

Which confirms that FCGI is in use.

Furthermore, some misconfigurations may allow the user or an attacker to access files outside the document root as follows:
http://127.0.0.1/fcgi-php-fpm/home/v1234567890/html/somefile.php

Where "/home/v1234567890/html/" is an example of a shared hosting URL. (This was confirmed.)

Can you please look into this if it's an unknown bug or feature that you can't disable? (It looks like a feature.)

If it's a known feature that you can disable, is it possible to disable in the PHP FPM configuration files? And if so, how/where?


Version used: 5.4.4-14+deb7u5 
(Latest Debian version package)

---
From manual page: http://www.php.net/install.fpm
---

Test script:
---------------
Please see description.

Expected result:
----------------
When the "/fcgi-php-fpm/" path is included in the URL, and a PHP file executes as it should it is revealed that PHP FPM is in use even though all other headers and filenames may have been removed.

Furthermore, in some shared hosting cases, it is possible to access files below the "document root" for that user and possibly other users, depending on how severe an "access control misconfiguration" is.

Patches

Unable_to_create_patch (last revision 2014-01-29 00:03 UTC by hansv at senseofsecurity dot com dot au)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2014-01-29 02:49 UTC] hansv at senseofsecurity dot com dot au

It appears that this is an Apache "feature" and not a PHP problem most likely.

Response from Apache:
"Every request to /fcgi-php-fpm is mapped to something that doesn't exist on disk (by the Alias directive), so no <Directory> or <Files> configuration is applicable."

[2014-01-29 04:30 UTC] hansv at senseofsecurity dot com dot au

-Status: Open +Status: Closed

[2014-01-29 04:30 UTC] hansv at senseofsecurity dot com dot au

It's an Apache misconfiguration that's not pointed out very clearly.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Dec 21 13:01:31 2024 UTC