[php-maint] Bug#323585: marked as done (libapache2-mod-php4 - open_basedir bug - security)

Debian Bug Tracking System owner at bugs.debian.org
Wed Aug 17 13:48:07 UTC 2005


Your message dated Wed, 17 Aug 2005 23:44:14 +1000
with message-id <43033F2E.1080002 at 0c3.net>
and subject line [php-maint] Bug#323585: libapache2-mod-php4 - open_basedir bug -	security
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 17 Aug 2005 12:09:41 +0000
>From thorben at gawab.com Wed Aug 17 05:09:41 2005
Return-path: <thorben at gawab.com>
Received: from (info10.gawab.com) [204.97.230.43] 
	by spohr.debian.org with smtp (Exim 3.36 1 (Debian))
	id 1E5Mjl-0007Ze-00; Wed, 17 Aug 2005 05:09:41 -0700
Received: (qmail 5572 invoked from network); 17 Aug 2005 12:03:50 -0000
Received: from unknown (192.168.0.6)
  by gawab.com with QMQP; 17 Aug 2005 12:03:50 -0000
Received: from unknown (HELO thorben) (thorben at gawab.com@193.170.64.2)
  by gawab.com with SMTP; 17 Aug 2005 12:04:46 -0000
X-Trusted: Whitelisted
Date: Wed, 17 Aug 2005 14:15:09 +0200
From: thorben <thorben at gawab.com>
X-Mailer: The Bat! (v3.5) Home
Reply-To: thorben <thorben at gawab.com>
X-Priority: 3 (Normal)
Message-ID: <1123638061.20050817141509 at gawab.com>
To: submit at bugs.debian.org
Subject: libapache2-mod-php4 - open_basedir bug - security
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: submit at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-6.5 required=4.0 tests=BAYES_10,HAS_PACKAGE 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02

Package: libapache2-mod-php4
Version:  4.3.10-15

same bug like described in version 5.0.4
http://bugs.php.net/bug.php?id=32937

if somebody has a directory structure like this:
/srv/user1
/srv/user2
.
.
.
/srv/user10
/srv/user11

user1   can  access  the  files  of  user10 and user12 vi PHP although
open_basedir is set


I talked to a PHP developer, for him it is fixed.

I am using debian sarge with no other patches / backports etc.

this  bug is possibly in all php versions, I also found it in 4.4.0 on
gentoo linux

greetings
thorben



---------------------------------------
Received: (at 323585-done) by bugs.debian.org; 17 Aug 2005 13:44:59 +0000
>From adconrad at 0c3.net Wed Aug 17 06:44:59 2005
Return-path: <adconrad at 0c3.net>
Received: from loki.0c3.net [69.0.240.48] 
	by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
	id 1E5ODz-0005Am-00; Wed, 17 Aug 2005 06:44:59 -0700
Received: from [203.49.196.168] (helo=[10.0.0.4])
	by loki.0c3.net with esmtp (Exim 4.34)
	id 1E5ODO-0005qC-OC; Wed, 17 Aug 2005 07:44:23 -0600
Message-ID: <43033F2E.1080002 at 0c3.net>
Date: Wed, 17 Aug 2005 23:44:14 +1000
From: Adam Conrad <adconrad at 0c3.net>
User-Agent: Mozilla Thunderbird 1.0.6 (X11/20050809)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: thorben <thorben at gawab.com>,  323585-done at bugs.debian.org
Subject: Re: [php-maint] Bug#323585: libapache2-mod-php4 - open_basedir bug
 -	security
References: <1123638061.20050817141509 at gawab.com>
In-Reply-To: <1123638061.20050817141509 at gawab.com>
X-Enigmail-Version: 0.92.0.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Delivered-To: 323585-done at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02

thorben wrote:
> 
> if somebody has a directory structure like this:
> /srv/user1
> /srv/user2
> .
> .
> .
> /srv/user10
> /srv/user11
> 
> user1   can  access  the  files  of  user10 and user12 vi PHP although
> open_basedir is set

Are you using a trailing slash on your open_basedir directives?  From
the PHP manual:

> The restriction specified with open_basedir is actually a prefix, not
> a directory name. This means that "open_basedir = /dir/incl" also
> allows access to "/dir/include" and "/dir/incls" if they exist. When
> you want to restrict access to only the specified directory, end with
> a slash. For example: "open_basedir = /dir/incl/"

... Adam



More information about the pkg-php-maint mailing list