[php-maint] Bug#690413: PHP source disclosure after dist-upgrade from squeeze

Steven Chamberlain steven at pyro.eu.org
Sun Oct 14 00:37:41 UTC 2012 

Package: libapache2-mod-php5filter
Version: 5.4.4-7
Severity: grave
File: /etc/apache2/mods-available/php5filter.conf
Tags: security

Hi,

I just tested a dist-upgrade from squeeze -> wheezy on a system that was
using libapache2-mod-php5 to run conventionally-named .php scripts.

Immediately after upgrading, the source code of a file named index.php
would be served as text, instead being executed as a PHP script.

Obviously this is related to the MIME type change.  But the FilesMatch
statements in /etc/apache2/mods-enabled/php5filter.conf didn't seem to
have any effect.  This was apparently due to the <IfModule mod_php5.c>
clause not matching;  I commented out the IfModule lines in that file,
and then it worked as intended.

I'm not sure why that might be (is the php5 filter module named
something other than mod_php5.c now?) but I wonder if it is safer to
just omit the IfModule clause, because the existence of the
php5filter.conf file already implies that mod_php5 is loaded.

Filing with RC-severity because AFAIK this breaks a mod_php5-based
webserver on upgrade, and discloses potentially sensitive source code.

Thanks.

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: kfreebsd-amd64 (x86_64)

Kernel: kFreeBSD 9.0-2-amd64
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libapache2-mod-php5filter depends on:
ii  apache2-mpm-prefork  2.2.22-11
ii  apache2.2-common     2.2.22-11
ii  libbz2-1.0           1.0.6-4
ii  libc0.1              2.13-35
ii  libcomerr2           1.42.5-1
ii  libdb5.1             5.1.29-5
ii  libgssapi-krb5-2     1.10.1+dfsg-2
ii  libk5crypto3         1.10.1+dfsg-2
ii  libkrb5-3            1.10.1+dfsg-2
ii  libmagic1            5.11-2
ii  libonig2             5.9.1-1
ii  libpcre3             1:8.30-5
ii  libqdbm14            1.8.78-2
ii  libssl1.0.0          1.0.1c-4
ii  libxml2              2.8.0+dfsg1-5
ii  mime-support         3.52-1
ii  php5-common          5.4.4-7
ii  tzdata               2012c-1
ii  ucf                  3.0025+nmu3
ii  zlib1g               1:1.2.7.dfsg-13

libapache2-mod-php5filter recommends no packages.

Versions of packages libapache2-mod-php5filter suggests:
pn  php-pear  <none>

-- no debconf information

More information about the pkg-php-maint mailing list