[php-maint] Bug#674089: mime-support: removed application/x-httpd-* can lead to immense security problems

Charles Plessy plessy at debian.org
Mon Aug 13 23:06:01 UTC 2012 

Hi Christoph and PHP maintainers,

my answers follow this long quote about a possible release note.

For those in CC, please tell if you do not want to get copies anymore.

Le Mon, Aug 13, 2012 at 01:44:23AM +0200, Christoph Anton Mitterer a écrit :
> 
> What about:
> -------------------------------------------------------
> mime-types package dropped non-standard definitions for PHP that might
> affect any systems using PHP
> ---
> The package mime-types has dropped the following non-standard
> definitions:
> application/x-httpd-php                        phtml pht php
> application/x-httpd-php-source                 phps
> application/x-httpd-php3                       php3
> application/x-httpd-php3-preprocessed          php3p
> application/x-httpd-php4                       php4
> application/x-httpd-php5                       php5
> 
> Systems, especially webservers (including but possibly not limited to
> the Apache HTTPD Server) may have used this to mark files as having the
> a PHP Internet Media Type (commonly known as MIME type).
> They may have used it further, to determine that such files are to be
> interpreted by PHP rather than served as normal files.
> 
> If a webserver would not consider these files to be interpreted anymore
> this would have at least the following effects:
> - PHP web programs/sites no longer work
> - PHP files are directly exposed, which may be a security problem
> 
> 
> In order to avoid any problems, read the README.Debian from the
> php5-common package on how to correctly configure PHP (examples are
> provided for the Apache HTTPD Server) and take care, that and PHP files
> intended to be interpreted are recognised as such (typically by adding
> MIME-Type or handler definitions in the webserver configuration).
> 
> More information can be found in bug #674089 and partially in #674205.
> -------------------------------------------------------
> 
> As you can see, I personally would put the burden of explaining how to
> (securely) configure PHP to the PHP packages...
> I have some discussions about that with Ondřej in #674205 ... I'm not
> yet fully happy with it (see there)... and although he closed the bug
> and said he'd have applied some of my proposals, I could not yet find
> these changes there.

I think that the changes are the following:

-------------------------------------------------------------------------
index 26fe076..99c37c6 100644 (file)
--- a/debian/php5-common.README.Debian
+++ b/debian/php5-common.README.Debian
@@ -78,6 +78,11 @@ PHP 5 CGI and Apache HTTP Server
   installed side-by-side and both were automatically enabled, the
   results would be a bit confusing, obviously.
 
+  You should also be aware, that a server deployed in CGI mode is open
+  to several possible vulnerabilities, see upstream CGI security page
+  to learn ow to defend yourself from such attacks:
+  http://www.php.net/manual/en/security.cgi-bin.php
+
   To use php5-cgi with Apache HTTP Server:
   1) activate CGI (it's on by default in default debian setups)
      a) If using the prefork MPM, use 'a2enmod cgi'
@@ -86,8 +91,10 @@ PHP 5 CGI and Apache HTTP Server
   3) Add the following to a config snippet in /etc/apache2/conf.d
      <IfModule mod_actions.c>
        ScriptAlias /cgi-bin/php5-cgi /usr/lib/cgi-bin/php5
-       Action php5-cgi /cgi-bin/php5-cgi
-       AddHandler php5-cgi .php
+       Action application/x-php /cgi-bin/php5-cgi
+       <FilesMatch \.php$>
+         AddType application/x-php php
+       </FilesMatch>
      </IfModule>
 
   Note: more modern way of doing this is to install php5-fpm package
@@ -140,4 +147,4 @@ Further documentation, errata, misc.
   If after reading the documentation in this file you still have
   unanswered questions, that's a good next place to go.
 
- -- Ondřej Surý <ondrej at debian.org>, Sun,  8 Apr 2012 22:00:59 +0200
+ -- Ondřej Surý <ondrej at debian.org>, Mon,  6 Aug 2012 12:49:51 +0200
-------------------------------------------------------------------------


For the release note, I think that it would have to clearly indicate that this
only impacts the system running PHP scripts via the CGI package, which in my
understanding are the minority.

If upgrading to Wheezy would unconditionally break these systems, then I think
that a NEWS file in php5-cgi would be an important complement, as it would
interrupt the upgrades ran in standard conditions.

Have a nice day,

-- 
Charles Plessy
Tsurumi, Kanagawa, Japan

More information about the pkg-php-maint mailing list