[php-maint] Bug#687307: Security issue after PHP upgrade

Dmitry Kolesnikov kastaneda at gmail.com
Tue Sep 11 15:44:37 UTC 2012

Package: php5-cgi
Version: 5.4.4-7

I use FastCGI version of PHP and I have manually configured Apache's
mod_fcgid and mod_suexec. After upgrade php5_cli to 5.4.4-7, Apache
suddenly began to pass source PHP scripts without handling. This can
be a serious security concern for those sites that do not store
sensitive scripts (like configuration of database connections) outside
of document root.

After performing a2dismod php5_cgi everything returned to normal. I
guess this is impact of the bug #685340.

Here is some piece of my configuration files, with real domain
replaced to 'example.com' and username replaced to 'example':


Alias       /fcgi-bin/  /var/www/fcgi-bin.d/

ProcessLifeTime         3600
MaxRequestsPerProcess   20000
FcgidMaxRequestLen      10485760
FcgidPassHeader         AUTHORIZATION

<Location /fcgi-bin/>
        SetHandler      fcgid-script
        Options         +ExecCGI


<VirtualHost *:80>
    ServerName example.com
    ServerAlias www.example.com

    DocumentRoot /var/www/example.com
    <Directory /var/www/example.com>
        Options Indexes FollowSymLinks
        AllowOverride All
        Order allow,deny
        Allow from all

    AddHandler          php-fcgi    .php
    Action              php-fcgi    /fcgi-bin/example/php-fcgi-wrapper
    SuexecUserGroup     example example

    ErrorLog ${APACHE_LOG_DIR}/example.com/error.log
    CustomLog ${APACHE_LOG_DIR}/example.com/access.log combined


export PHPRC=/etc/php5/cgi
exec /usr/bin/php5-cgi

For this configuration, a2enmod'ed php5_cgi and Drupal website it's
possible to see the MySQL password in the cleartext when requesting
/sites/default/settings.php on that site.

More information about the pkg-php-maint mailing list