php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #66600 FPM Module is Exposed in URL (/fcgi-php-fpm/)
Submitted: 2014-01-29 00:01 UTC Modified: 2014-01-29 04:30 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: hansv at senseofsecurity dot com dot au Assigned:
Status: Closed Package: FPM related
PHP Version: Irrelevant OS: Debian
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: hansv at senseofsecurity dot com dot au
New email:
PHP Version: OS:

 

 [2014-01-29 00:01 UTC] hansv at senseofsecurity dot com dot au
Description:
------------
When a file is requested on a website by a user, it is normally done as follows:
http://127.0.0.1/somefile.php

During a review of logs, it was discovered that the same file can be called:
http://127.0.0.1/fcgi-php-fpm/somefile.php

Which confirms that FCGI is in use.

Furthermore, some misconfigurations may allow the user or an attacker to access files outside the document root as follows:
http://127.0.0.1/fcgi-php-fpm/home/v1234567890/html/somefile.php

Where "/home/v1234567890/html/" is an example of a shared hosting URL. (This was confirmed.)

Can you please look into this if it's an unknown bug or feature that you can't disable? (It looks like a feature.)

If it's a known feature that you can disable, is it possible to disable in the PHP FPM configuration files? And if so, how/where?


Version used: 5.4.4-14+deb7u5 
(Latest Debian version package)

---
From manual page: http://www.php.net/install.fpm
---

Test script:
---------------
Please see description.

Expected result:
----------------
When the "/fcgi-php-fpm/" path is included in the URL, and a PHP file executes as it should it is revealed that PHP FPM is in use even though all other headers and filenames may have been removed.

Furthermore, in some shared hosting cases, it is possible to access files below the "document root" for that user and possibly other users, depending on how severe an "access control misconfiguration" is. 


Patches

Unable_to_create_patch (last revision 2014-01-29 00:03 UTC by hansv at senseofsecurity dot com dot au)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-01-29 02:49 UTC] hansv at senseofsecurity dot com dot au
It appears that this is an Apache "feature" and not a PHP problem most likely.

Response from Apache:
"Every request to /fcgi-php-fpm is mapped to something that doesn't exist on disk (by the Alias directive), so no <Directory> or <Files> configuration is applicable."
 [2014-01-29 04:30 UTC] hansv at senseofsecurity dot com dot au
-Status: Open +Status: Closed
 [2014-01-29 04:30 UTC] hansv at senseofsecurity dot com dot au
It's an Apache misconfiguration that's not pointed out very clearly.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Mar 29 10:01:28 2024 UTC