[php-maint] Bug#674205: php5-common: possible improvement for the Apache PHP/CGI documentation

Christoph Anton Mitterer calestyo at scientia.net
Wed Aug 1 00:08:51 UTC 2012 

severity 674205 critical
block 674089 674205
affects
stop

Hi.

Increasing severity to critical, because this is touched / very
important ... with respect to recent changes in the mime-types
package,... which basically break all use of PHP in Debian (in
wheezy)... and will even lead to disclosure of all PHP source files
served by webservers in the usual case.

There is a bug dealing with the backgrounds at: #674089

I guess both, CGI and mod_php are affected by this but I haven't checked
for the later, as it's security-wise... "problematic", which is why I
never use it.



The short story is, that the php mime-type was removed from mime-types.
At least those Apache/PHP installations using CGI, will then loose the
handler on these files, which makes them just served as plain text
files.
This breaks unrelated software (all those using php) and is a security
problem.



See the aforementioned bug for what I suggest to do now.
Basically:
1) Add a NEWS item entry, that these mime types were removed
from /etc/mime.types and what this could mean.
Possibly linking to the above bug.


2) Add documentation for the end-users, how they should (safely) enable
PHP.

For CGI this would be the above (with a corrected mistake):
-------------------------------------------------------
#Note: The following is a security measure to remove any possible mappings that would also apply on “middle extensions” (for example “test.php.png”).
RemoveType php
<Files ?*.php>
        AddType application/x-php php
</Files>

ScriptAlias /cgi-bin/php5-cgi /usr/lib/cgi-bin/php5
Action application/x-php /cgi-bin/php5-cgi
-------------------------------------------------------
plus the note, that one SHOULD limit AT LEAST the ScriptAlias and
Actionto _only_ such <Directory> blocks, where php files to be
interpreted reside.

Above I used "application/x-php" no longer the
"application/x-httpd-php".


May I point out again that it's rather important to really re-do the:
RemoveType php
<Files ?*.php>
        AddType application/x-php php
</Files>

in Apache, even if we should add
application/x-php php
back to mime-types.

This is because by only that, apache would also interpret files like:
evil-virus.php.jpeg as PHP.



Cheers,
Chris.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5450 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-php-maint/attachments/20120801/5b087384/attachment.bin>

More information about the pkg-php-maint mailing list