[php-maint] Bug#687307: Security issue after PHP upgrade

[Dmitry Kolesnikov]

Package: php5-cgi
Version: 5.4.4-7

I use FastCGI version of PHP and I have manually configured Apache's
mod_fcgid and mod_suexec. After upgrade php5_cli to 5.4.4-7, Apache
suddenly began to pass source PHP scripts without handling. This can
be a serious security concern for those sites that do not store
sensitive scripts (like configuration of database connections) outside
of document root.

After performing a2dismod php5_cgi everything returned to normal. I
guess this is impact of the bug #685340.

Here is some piece of my configuration files, with real domain
replaced to 'example.com' and username replaced to 'example':


/etc/apache2/conf.d/php-fcgid
=====================

Alias       /fcgi-bin/  /var/www/fcgi-bin.d/

ProcessLifeTime         3600
MaxRequestsPerProcess   20000
FcgidMaxRequestLen      10485760
FcgidPassHeader         AUTHORIZATION

<Location /fcgi-bin/>
        SetHandler      fcgid-script
        Options         +ExecCGI
</Location>


/etc/apache2/sites-enabled/example.com
=====================

<VirtualHost *:80>
    ServerName example.com
    ServerAlias www.example.com

    DocumentRoot /var/www/example.com
    <Directory /var/www/example.com>
        Options Indexes FollowSymLinks
        AllowOverride All
        Order allow,deny
        Allow from all
    </Directory>

    AddHandler          php-fcgi    .php
    Action              php-fcgi    /fcgi-bin/example/php-fcgi-wrapper
    SuexecUserGroup     example example

    ErrorLog ${APACHE_LOG_DIR}/example.com/error.log
    CustomLog ${APACHE_LOG_DIR}/example.com/access.log combined
</VirtualHost>


/var/www/fcgi-bin.d/gray/php-fcgi-wrapper
=====================

#!/bin/sh
export PHPRC=/etc/php5/cgi
export PHP_FCGI_MAX_REQUESTS=25000
exec /usr/bin/php5-cgi


For this configuration, a2enmod'ed php5_cgi and Drupal website it's
possible to see the MySQL password in the cleartext when requesting
/sites/default/settings.php on that site.