Development

Wiki Start
Wishlist
Timeline
Roadmap
Browse Source
New Ticket
View Tickets

Ticket #1250 (closed defect: fixed)

Opened 2 months ago

Last modified 2 months ago

Please harden the php open_basedir pathes in the apache config files.

Reported by: anonymous Assigned to:
Priority: critical Milestone: ispCP ω 1.0.0 - RC5
Component: Config Files Version: ispCP ω 1.0.0 - RC4
Severity: Don't know Keywords:
Cc:

Description

The values in open_basedir don't work as directorys, instead they are handled as prefixes, see the PHP-doc:

The restriction specified with open_basedir is actually a prefix, not a directory name. This means that "open_basedir = /dir/incl" also allows access to "/dir/include" and "/dir/incls" if they exist. When you want to restrict access to only the specified directory, end with a slash. For example: "open_basedir = /dir/incl/"

This means that there are potential security holes in the whole open_basedir apache config files. So please add backslashes at the end of the values everywhere where it's missing.

Attachments

Change History

05/14/08 00:26:13 changed by anonymous

Of Cource you should add slashes and not backslashes as I mentioned.

05/14/08 09:17:41 changed by rats

  • status changed from new to closed.
  • resolution set to invalid.
  • milestone changed from Working to ispCP ω 1.0.0 - RC5.

They are all "hardened" - if not, please provide me a file! (or better all)

05/14/08 12:50:41 changed by anonymous

  • status changed from closed to reopened.
  • resolution deleted.

In the main isp aache config they are hardened, but not in the domain specific files, e.g. in configs/[any_destribution]/apache/parts/dmn_php2_entry.tpl: 

<IfModule mod_php4.c>
        php_admin_value open_basedir "{WWW_DIR}/{DMN_NAME}:{WWW_DIR}/{DMN_NAME}/phptmp:{PEAR_DIR}"
        ...
</IfModule>
<IfModule mod_php5.c>
        php_admin_value open_basedir "{WWW_DIR}/{DMN_NAME}:{WWW_DIR}/{DMN_NAME}/phptmp:{PEAR_DIR}"
        ...
</IfModule>

You can find these configs in configs/[any_destribution]/apache/parts/..._php2_entry.tpl

Here there should be an slash at the end of the first {DMN_NAME}, after phptmp and {PEAR_DIR}.

The same happens in the subdomain configs (configs/[any_destribution]/apache/parts/dmn_php2_entry.tpl): 

...php4...
php_admin_value open_basedir "{WWW_DIR}/{SUB_NAME_PHP2}:{WWW_DIR}/{SUB_NAME_PHP2}/phptmp:{PEAR_DIR}"
...php5...
php_admin_value open_basedir "{WWW_DIR}/{SUB_NAME_PHP2}:{WWW_DIR}/{SUB_NAME_PHP2}/phptmp:{PEAR_DIR}"
...

Here there should be an slash at the end of the first {SUB_NAME_PHP2}, after phptmp and {PEAR_DIR}.

The same in configs/debian/apache/parts/als_php2_entry.tpl: 

...php4...
php_admin_value open_basedir "{WWW_DIR}/{DMN_NAME}{MOUNT_POINT}:{WWW_DIR}/{DMN_NAME}{MOUNT_POINT}/phptmp:{PEAR_DIR}"
...php5...
php_admin_value open_basedir "{WWW_DIR}/{DMN_NAME}{MOUNT_POINT}:{WWW_DIR}/{DMN_NAME}{MOUNT_POINT}/phptmp:{PEAR_DIR}"
...

05/15/08 13:58:06 changed by zothos

realy needed[[BR]] 

| The restriction specified with open_basedir is actually a prefix, not a
| directory name. This means that "open_basedir = /dir/incl" also allows
| access to "/dir/include" and "/dir/incls" if they exist. When you want to
| restrict access to only the specified directory, end with a slash. For
| example: "open_basedir = /dir/incl/"

im rewriten the tpl on sunday. No time till sunday, im sry :(. But you could provide a patch, then ill commit it asap!

(follow-up: ↓ 6 ) 05/15/08 20:33:53 changed by rats

  • status changed from reopened to closed.
  • resolution set to fixed.

not needed zothos, I've sed'd them. fixed in r1154; please check, if I missed one.

(in reply to: ↑ 5 ) 05/15/08 23:01:55 changed by anonymous

Replying to rats:

not needed zothos, I've sed'd them. fixed in r1154; please check, if I missed one.

Hi, you've wrongly added two slashes after the phptmp in each "als_php2_entry.tpl", see youre changeset 1156.

05/15/08 23:06:25 changed by anonymous

  • status changed from closed to reopened.
  • resolution deleted.

I temporary reopen this bug, until the double slashes after phptmp in the open_basedir-line in als_php2_entry.tpl are corrected.

05/16/08 10:00:25 changed by rats

  • status changed from reopened to closed.
  • resolution set to fixed.

sorry, corrected in r1157

Add/Change #1250 (Please harden the php open_basedir pathes in the apache config files.)




Action