Bug 136651

Summary:	VUL-0: PHP mixes up open_basedir settings
Product:	[openSUSE] SUSE Linux 10.1	Reporter:	Christian Boltz <suse-beta>
Component:	Network	Assignee:	Cristian Rodriguez <crrodriguez>
Status:	RESOLVED WORKSFORME	QA Contact:	E-mail List <qa-bugs>
Severity:	Critical
Priority:	P5 - None	CC:	lnussel, novell, security-team
Version:	Final	Keywords:	Random
Target Milestone:	---
Hardware:	Other
OS:	Other
Whiteboard:	maint:running:53281:critical
Found By:	Other	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---
Deadline:	2013-07-01
Attachments:	please try with this patch.

Description Christian Boltz 2005-12-02 10:47:50 UTC

On a server with about 100 Apache vHosts, PHP mixes up the open_basedir settiongs I set them per vHost using
php_admin_value open_basedir "/home/httpd/vhosts/cboltz.de/:/home/sprachakt/"

Unfortunately, PHP mixes them up - for example I get /home/httpd/vhosts/sprachakt.de:/home/sprachakt if I check phpinfo on cboltz.de. The mixing changes randomly if I restart Apache.

This means I have to remove the open_basedir setting - otherwise, nearly all PHP scripts (those that try to open any file) would refuse to work.

Apache and PHP are nearly up to date (I did not install the broken security updates for obvious reasons ;-) but the previous YOU updates are installed.

PS: I know that 9.1 bugs have a very little chance to be fixed. I don't know if the same problem still appears in 10.0 because I don't have a server running it.

Comment 1 Christian Boltz 2005-12-02 10:52:50 UTC

This is one of the config files I use (/etc/apache2/vhosts.d/cboltz.de.conf). The other vHosts have similar configs.


<VirtualHost 212.227.64.36:80>
    ServerName cboltz.de
    ServerPath /cboltz.de
    ServerAlias www.cboltz.de
    SuexecUserGroup  cboltz psacln
    UseCanonicalName Off

    DocumentRoot /home/httpd/vhosts/cboltz.de/httpdocs/

    <Directory /home/httpd/vhosts/cboltz.de/httpdocs>
        Allow from all
    </Directory>

    CustomLog /home/httpd/vhosts/cboltz.de/statistics/logs/access_log combined
    ErrorLog /home/httpd/vhosts/cboltz.de/statistics/logs/error_log
    ScriptAlias /cgi-bin/ /home/httpd/vhosts/cboltz.de/cgi-bin/

    php_admin_flag engine on

## the following causes the described bug if enabled ##
## (linebreak inserted by bugzilla) ##
#       php_admin_value open_basedir "/home/httpd/vhosts/cboltz.de/:/home/sprachakt/"

    php_admin_value upload_tmp_dir /home/httpd/vhosts/cboltz.de/tmp/
    php_admin_value session.save_path /home/httpd/vhosts/cboltz.de/tmp/

    <Directory "/home/httpd/vhosts/cboltz.de/error_docs">
        Allow from all
    </Directory>
    Alias "/error_docs" "/home/httpd/vhosts/cboltz.de/error_docs"
    ErrorDocument 404 /error_docs/not_found.html

    CustomLog /home/httpd/vhosts/cboltz.de/statistics/logs/access_log combined
    Alias  /plesk-stat /home/httpd/vhosts/cboltz.de/statistics/
    Alias  /webstat /home/httpd/vhosts/cboltz.de/statistics/webstat
    Alias  /webstat-ssl /home/httpd/vhosts/cboltz.de/statistics/webstat-ssl
    Alias  /ftpstat /home/httpd/vhosts/cboltz.de/statistics/ftpstat
    Alias  /anon_ftpstat /home/httpd/vhosts/cboltz.de/statistics/anon_ftpstat

    <Directory "/home/httpd/vhosts/cboltz.de/statistics">
        AuthType Basic
        AuthName "Domain-Statistiken"
        AuthUserFile /home/httpd/vhosts/cboltz.de/pd/d..plesk-stat
        require  valid-user
    </Directory>

</VirtualHost>

Comment 2 Thorsten Kukuk 2005-12-02 10:56:36 UTC

For SL9.1 we will not fix such bugs anymore.

Comment 3 Christian Boltz 2005-12-17 23:04:04 UTC

Matthias Keller <linux AT matthias-keller DOT ch> just reported that he has the same problem on SUSE Linux 10.0 after installing the latest security updates. See his mail in suse-linux mailinglist
    Subject: Troubles with newest apache2-mod_php4 update on Suse10.0
    Message-ID: <43A48FDA.9090600@matthias-keller.ch>

Is it worth fixing now? ;-)

Comment 4 Matthias Keller 2005-12-18 00:11:17 UTC

I'm the one who reported it again on the suse mailing list....
I'm running the apache2 with 34 virtualhosts at the moment...

This bug is quite annoying and it seems to have appeard only with the last update (apache2-mod_php4) as I havent seen it before but seen it a lot ever since

I'd be happy to provide you with more information about my setup...

The initial bug report sounds that the error is occuring every time - in my case it just occurs maybe every 50th time - i noticed it on a self-updating statistic page....
The other 49 times it's running correctly....

Comment 6 Cristian Rodríguez 2005-12-20 21:29:44 UTC

folks can somebody tell me what is the **real** error message when it fails ???

Comment 7 Cristian Rodríguez 2005-12-20 22:24:46 UTC

is this problem reproducible using mod_php5 ???

there are a lot reported problems about this topic


http://bugs.php.net/bug.php?id=34656
"
[14 Dec 6:29am CET] sniper@php.net

We really don't support PHP 4 anymore. If you don't test with PHP 5, we
consider the bug fixed there."


http://bugs.php.net/bug.php?id=35164

I also kindly suggest stop supporting PHP4 in the next SUSE version.

Comment 8 Matthias Keller 2005-12-20 23:58:45 UTC

Great
I cant just switch from PHP4 to PHP5 on a running productive system :-(

Here's the exact error: (i've replaced the random local domain with 'domain.com'). But this is NOT the open_basedir line from the currently used virtualhost!

*Warning*: Unknown(): open_basedir restriction in effect. File(/usr/share/amavis-stats/amavis-stats.php) is not within the allowed path(s): (/www/common/:/www/domain.com/) in *Unknown* on line *0*
*Warning*: Unknown(/usr/share/amavis-stats/amavis-stats.php): failed to open stream: Operation not permitted in *Unknown* on line *0*
*Warning*: (null)(): Failed opening '/usr/share/amavis-stats/amavis-stats.php' for inclusion (include_path='/usr/share/php') in *Unknown* on line *0
*

Comment 9 Christian Boltz 2005-12-21 00:25:34 UTC

Cristian (without "h" ;-)  - http://bugs.php.net/bug.php?id=34656 is _NOT_ topic of this bug report.

Comment 10 Christian Boltz 2005-12-21 00:43:11 UTC

I just found that the problem I reported here is already discussed on bugs.php.net:

http://bugs.php.net/bug.php?id=21564
http://bugs.php.net/bug.php?id=25753

There's also a small patch in the latter one.

If I read the bugs.php.net reports correctly, this problem is not restricted to open_basedir - it can appear on _all_ settings you do using php_admin_value. It also can affect other vHosts if you use php_admin_value in one of your vHosts.

Comment 11 Cristian Rodríguez 2005-12-22 00:42:51 UTC

Christian (with "h" ;-) ) :

about the links you mentioned.

first link ( php bug 21564)

it's an old bug report, very unlikely to apply actually.

second link ( php bug 25753)

older version too, and the metioned code it's for apache SAPI (that means apache 1.x) SAPI used here is "apache2handler" ;-)

odd thing, random crashes are a pain in the.... :(


novell@matthias-keller.ch :

for inclusion **(include_path='/usr/share/php')** in *Unknown* on line *0

so..you are also using the infamous include_path "fix" ..

will look this issue later.. sadly Im running my own PHP RPM's (5.1.2-dev) and I  'm unlikely to downgrade just to test a possible fix...(crash and burn system anyone??)

Comment 12 Matthias Keller 2005-12-22 03:04:11 UTC

I've now been experimenting with an exact clone of the server but with PHP5 and i still get the same error, tough it seems to appear a bit more rarely:

--
Warning: Unknown: open_basedir restriction in effect. File(/usr/share/amavis-stats/amavis-stats.php) is not within the allowed path(s): (/www/common/:/www/domain.ch/) in Unknown on line 0

Warning: Unknown: failed to open stream: Operation not permitted in Unknown on line 0

Warning: Unknown: Failed opening '/usr/share/amavis-stats/amavis-stats.php' for inclusion (include_path='.:/usr/share/php5:/usr/share/php5/PEAR') in Unknown on line 0
--

What's it about that 'infamous include_path fix' ? I'm running the default suse10 setup, but here i also needed to add the PEAR path for another application... with php4 this was directly under /usr/share/php

Comment 13 Cristian Rodríguez 2005-12-22 05:11:28 UTC

novell@matthias-keller.ch :

see Bug 129682 for information about the 'infamous include_path fix'


Petr: I think this problem is produced due the latest patches against sapi/apache2handler/sapi_apache2.c

this patch obsoletes: 

Patch65:      php-%{version}-mod_rewrite-fix.patch
Patch68:      php-%{version}-CVE-2005-3392.patch
Patch69:      php-%{version}-errordocument-fix.patch
Patch27:      php-%{version}-save_path-segfault.patch

Comment 14 Cristian Rodríguez 2005-12-22 05:12:33 UTC

Created attachment 61661 [details]
please try with this patch.

Comment 15 Cristian Rodríguez 2005-12-23 00:50:40 UTC

Just figured Petr is on vacation...he will be back on January 2...

anyone feeling brave and testing the suggested patch ???

Comment 16 Matthias Keller 2006-01-10 09:33:42 UTC

Unfortunately I dont have the knowledge to compile and test it myself.
It would be great if someone could test it - I hate to have open_basedir disabled for much longer... :-(

Thanks

Comment 17 Cristian Rodríguez 2006-01-26 20:13:50 UTC

since this issue is quite interesting , I had made hands on testing on a server provided by M.Keller ;-) with the 10.1 PHP packages ( PHP 5.1.2) and problem is no longer reproducible :-)

the suggested patch , merges the latest available corrections to apache2handler SAPI and should fix this weird issue.

Comment 18 Petr Ostadal 2006-02-10 17:55:18 UTC

I fixed it by upstream patch phpbug-35571.patch from bugreport (php#35571 - "fixed crash in Apache 2 SAPI when more then one php script is loaded via SSI include")  for PHP5 in 9.3, 10.0  and for PHP4 in 9.1, sles9, 9.2, 9.3, 10.0
 
It is fixed with security update in [#143696]

Comment 19 Cristian Rodríguez 2006-03-02 21:33:41 UTC

More people is reporting frecuently this problem now.

http://bugs.php.net/bug.php?id=36257

Short Story : USE PHP 5.1.x

Comment 20 Christian Boltz 2006-10-19 11:30:18 UTC

(In reply to comment #19)
> Short Story : USE PHP 5.1.x

Unfortunately, the story isn't that short - this still happens with PHP 5.1 on a 10.1 server :-(

Versions:
php5-5.1.2-29.19
apache2-2.2.0-21.7

upgrading severity because this bug doesn't allow to have secure PHP settings (like open_basedir) and/or strict apparmor profiles per vHost.

Comment 21 Petr Ostadal 2006-10-19 12:26:44 UTC

fixed in upstream
for php-4.4:
http://cvs.php.net/viewvc.cgi/php-src/sapi/apache2handler/apache_config.c?r1=1.1.2.3.8.1&r2=1.1.2.3.8.2
http://cvs.php.net/viewvc.cgi/php-src/sapi/apache2filter/apache_config.c?r1=1.28.2.1.8.1&r2=1.28.2.1.8.2

for php-5.1
http://cvs.php.net/viewvc.cgi/php-src/sapi/apache2handler/apache_config.c?r1=1.7.2.1&r2=1.7.2.2
http://cvs.php.net/viewvc.cgi/php-src/sapi/apache2filter/apache_config.c?r1=1.34.2.1&r2=1.34.2.2

Comment 22 Petr Ostadal 2006-10-19 14:20:55 UTC

reassign to Ales Nosek (new maintainer of php, congratulation :))

Comment 23 Cristian Rodríguez 2006-10-19 22:12:14 UTC

right, this needs to be fixed in the next round of security fixes.. ;-)

Comment 24 Ales Nosek 2006-10-24 13:26:06 UTC

Hi, could I fix this problem together with another security bug, or should I fix it now?

Comment 25 Cristian Rodríguez 2006-10-24 19:35:16 UTC

see bug #210503 for candidates to fix with this ;)

Comment 26 Christian Boltz 2006-10-24 23:08:48 UTC

(In reply to comment #25)
> see bug #210503 for candidates to fix with this ;)

"Access Denied" - I assume it's a security relevant bug?

BTW: If you have some test packages available, I'll happily try them.

Comment 27 Ludwig Nussel 2006-10-25 08:25:00 UTC

What other security bug?

Comment 28 Ales Nosek 2006-10-26 16:51:21 UTC

I meant the future security bugs

Comment 29 Christian Boltz 2006-11-04 00:14:46 UTC

ping ;-)

security team: when can fixed packages for this be expected?

Note: This bug is really security relevant!
Being unable to restrict open_basedir means that scripts from one vHost can modify data of any other vHost. Since I have running Typo3 (including file upload via PHP) on several vHosts, lots of files and directories are writeable by wwwrun - therefore the "no write permissions on filesystem level" argument unfortunately is not valid here.
-> I'd vote for releasing the fix ASAP.

Ales: Is it possible to make some test packages available?

Comment 30 Thomas Biege 2006-11-06 10:50:39 UTC

Another security update is in the queue. This bug will be fixed along with it.

Comment 31 Ales Nosek 2006-11-09 16:53:03 UTC

I submitted fixed packages:

php4  10.0-all
php4  9.2-all   
php4  9.3-all   
php4  sles9-all 

php5  10.0-all
php5  9.3-all
php5  sles10-all

Comment 32 Christian Boltz 2007-02-07 15:03:03 UTC

Just FYI: I upgraded my server to 10.2 - right now it looks like this bug is finally fixed there :-)

Anyway: What's the status of fixed packages for <= 10.1?

Comment 33 Thomas Biege 2007-03-01 08:02:28 UTC

MaintenanceTracker-8539

Comment 34 Marcus Meissner 2007-03-13 13:16:20 UTC

updated packages approved.

Comment 35 Christian Boltz 2007-11-01 16:11:03 UTC

I'm afraid this bug isn't (completely?) fixed yet :-(

Currently, I have 85 vHosts on a 10.2 x86_64 server. 4 of them have open_basedir set, the others don't have open_basedir restrictions.

Now I have seen the well known error message in the log (domain names replaced):

PHP Warning:  Unknown: open_basedir restriction in effect. File(/home/www/domain.foo/httpdocs/wiki/index.php) is not within the allowed path(s): (/home/www/otherdomain.foo/:/home/www/all) in Unknown on line 0, referer: http://domain.foo/index.php

- domain.foo does not have open_basedir restrictions set
- otherdomain.foo does have open_basedir restrictions - but is another vHost

My config files still look like in comment #1, the only change are
- added AppArmor AADefaultHatName statements
- removed some aliases
Both changes shouldn't be relevant to this bug.

Comment 36 Matthias Keller 2007-11-05 11:11:54 UTC

I just happened to see this problem again too recently (I'm the one from #4) where an upload virus check failed because of wrong directories being used.

The domain in question has the default upload_tmp_dir defined as /tmp
Another domain has its upload dir as /www/domain1.ch/temp

This log shows, that the file was really uploaded to /www/domain1.ch/temp, whereas the script executed was from domain2.ch (which should have used /tmp ):

Nov  3 17:54:44 server VIRUSCHECK: error checking /www/domain1.ch/temp/php49YiwG: lstat() failed. ERROR
Nov  3 17:54:44 server suhosin[14799]: ALERT - fileupload verification script disallows file - file dropped (attacker 'x.x.x.x', file '/www/domain2.ch/public_html/somefile.php')

Matt

Comment 37 Cristian Rodriguez 2007-11-05 19:18:04 UTC

can you please try with 10.3 or the packages available from 
http://download.opensuse.org/repositories/server:/php/ and tell me if that works ?



ps: debugging this kind of bugs is a real fun.....;)

Comment 38 Cristian Rodriguez 2007-12-11 08:04:08 UTC

if someone can provide reliable information on how to reproduce this bug again please reopen, otherwise it will be inpossible to fix due to it's weirdness,

Comment 39 Swamp Workflow Management 2013-06-27 05:11:52 UTC

The SWAMPID for this issue is 53280.
This issue was rated as critical.
Please submit fixed packages until 2013-07-01.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.

Comment 40 Swamp Workflow Management 2013-06-27 05:12:09 UTC

The SWAMPID for this issue is 53281.
This issue was rated as critical.
Please submit fixed packages until 2013-07-01.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.