php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #8174 Logfile entries written to php.ini, arbitrary files
Submitted: 2000-12-08 12:05 UTC Modified: 2001-06-03 23:25 UTC
From: rich at alcor dot concordia dot ca Assigned:
Status: Closed Package: PHP options/info functions
PHP Version: 4.0.1pl2 OS: Digital Unix 4.0E
Private report: No CVE-ID: None
 [2000-12-08 12:05 UTC] rich at alcor dot concordia dot ca
Noticed that strange files were being created in / (well,
in / of our chroot jail) whenever Apache restarted with
apachectl or SIGUSR1. Files often had unprintable characters in their four-letter filenames, and contained

[07-Dec-2000 11:54:34] PHP Warning:  Unable to load dynamic library './imap.so' - dlopen: cannot load ./imap.so in Unknown on line 0
[07-Dec-2000 11:54:34] PHP Warning:  Unable to load dynamic library './pgsql.so' - dlopen: cannot load ./pgsql.so in Unknown on line 0

(with appropriate date stamp, of course). BUT THEN: Last time this happened, we started looking around a little more, and found that our php.ini had been modified at a time in which no-one should have been modifying it; there *was* an Apache restart at that time, and PHP logged the above errors *into php.ini*!

This screams dangling-pointer to me, but I wouldn't know where to start to actually *fix* it, alas. 

PHP configured thusly:

 ./configure                                                \
       --without-gd                                         \
       --without-mysql                                      \
       --prefix=/pubmail/apache                             \
       --with-config-file-path=/pubmail/apache/conf         \
       --with-apache=/local/pkg/apache.webmail/apache-1.3.6 \
       --with-imap=/local/pkg/imap/imap-4.7c                \
  --with-pgsql=/pubmail/local/pkg/postgresql/root-postgresql-7.0.2


Select parts of php.ini:
error_reporting =       E_ALL & ~E_NOTICE
display_errors  =       On
log_errors              =       On
track_errors    =       Off
;error_prepend_string = "<font color=ff0000>"
;error_append_string = "</font>"
error_log       =       /apache/logs/php_errors.log
warn_plus_overloading   =       Off             ; warn if the + operator is used with strings

Other than the arbitrary file, PHP also logs its errors to the Apache error_log. It *doesn't* log to /apache/logs/php_errors.log, though.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2001-06-03 23:25 UTC] sniper@php.net
This should be fixed in PHP 4.0.6R. Please try the 
latest release candidate from:

http://www.php.net/~andi/php-4.0.6RC2.tar.gz

 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Fri Sep 20 01:01:28 2019 UTC