[php-maint] Bug#344952: marked as done (php4: allow_url_fopen = On
by default is insecure and there are bots exploiting this)
Debian Bug Tracking System
owner at bugs.debian.org
Wed Dec 28 04:48:05 UTC 2005
Your message dated Wed, 28 Dec 2005 14:32:40 +1000
with message-id <43B21568.4070507 at 0c3.net>
and subject line [php-maint] Bug#344952: php4: allow_url_fopen = On by default is insecure and there are bots exploiting this
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 27 Dec 2005 21:30:59 +0000
>From chris at niekel.net Tue Dec 27 13:30:59 2005
Return-path: <chris at niekel.net>
Received: from mimar.xs4all.nl ([213.84.37.15] helo=kira.niekel.net)
by spohr.debian.org with esmtp (Exim 4.50)
id 1ErMPK-00056d-QI
for submit at bugs.debian.org; Tue, 27 Dec 2005 13:30:59 -0800
Received: from chris by kira.niekel.net with local (Exim 3.36 #1 (Debian))
id 1ErMPB-0000yc-00; Tue, 27 Dec 2005 22:30:49 +0100
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Chris Niekel <chris at niekel.net>
To: Debian Bug Tracking System <submit at bugs.debian.org>
Subject: php4: allow_url_fopen = On by default is insecure and there are bots
exploiting this
Message-ID: <20051227213049.2615.83727.reportbug at kira.niekel.net>
X-Mailer: reportbug 3.18
Date: Tue, 27 Dec 2005 22:30:49 +0100
Delivered-To: submit at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
Package: php4
Version: 4:4.4.0-4
Severity: normal
Hi,
The setting use_url_fopen is On by default, like upstream php4. This allows
code like:
include($p);
where $p is set in the url. This being exploited by people to make you do
include('http://.../bad/script');
Although this is mostly a problem by the php-user, setting this option to
'Off' by default seems a good security trade-off to me. (And yes, my site
was running some strange code, fortunately as www-data).
Regards,
Chris Niekel
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (500, 'testing'), (500, 'stable'), (50, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.4.27-2-686
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages php4 depends on:
ii libapache-mod-php4 4:4.4.0-4 server-side, HTML-embedded scripti
ii php4-cgi 4:4.4.0-4 server-side, HTML-embedded scripti
ii php4-common 4:4.4.0-4 Common files for packages built fr
php4 recommends no packages.
-- debconf information:
php4/run_apache_sslconfig: true
php4/run_apacheconfig: true
php4/update_apache_php_ini: true
---------------------------------------
Received: (at 344952-done) by bugs.debian.org; 28 Dec 2005 04:33:33 +0000
>From adconrad at 0c3.net Tue Dec 27 20:33:33 2005
Return-path: <adconrad at 0c3.net>
Received: from loki.0c3.net ([69.0.240.48])
by spohr.debian.org with esmtp (Exim 4.50)
id 1ErT0H-0004KF-H3
for 344952-done at bugs.debian.org; Tue, 27 Dec 2005 20:33:33 -0800
Received: from charon.0c3.net ([210.11.154.230] helo=[192.168.1.102])
by loki.0c3.net with asmtp (Exim 4.34)
id 1ErSzd-0002tP-DH; Tue, 27 Dec 2005 21:32:55 -0700
Message-ID: <43B21568.4070507 at 0c3.net>
Date: Wed, 28 Dec 2005 14:32:40 +1000
From: Adam Conrad <adconrad at 0c3.net>
User-Agent: Mozilla Thunderbird 1.0.7 (X11/20051013)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Chris Niekel <chris at niekel.net>, 344952-done at bugs.debian.org
Subject: Re: [php-maint] Bug#344952: php4: allow_url_fopen = On by default
is insecure and there are bots exploiting this
References: <20051227213049.2615.83727.reportbug at kira.niekel.net>
In-Reply-To: <20051227213049.2615.83727.reportbug at kira.niekel.net>
X-Enigmail-Version: 0.92.1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Spam-Score: / (0.0)
X-Scan-Signature: 9f08059c6f1203c53574ae8d28029c1f
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
Chris Niekel wrote:
>
> The setting use_url_fopen is On by default, like upstream php4. This allows
> code like:
> include($p);
> where $p is set in the url. This being exploited by people to make you do
> include('http://.../bad/script');
If you are blindly including random files that users tell you to with no
input validation, you have more fundamental problems than whether or not
they can inject remote files. I could rampage all over your filesystem
like that as well.
The bottom line, of course, is that allow_url_fopen is incredibly
convenient when used correctly, and I'd be willing to bet a lot of 3rd
party PHP apps in Debian rely on it in one way or another (I know I
certainly have in the past), and disabling random functionality in the
default PHP setup is no substitute for learning the basics of secure
programming.
Pretty please, with sugar on top, validate input given to you from
untrusted sources.
... Adam
More information about the pkg-php-maint
mailing list