Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 217139 - dev-lang/php: mod_php can overtake apache file handles (CVE-2003-1307)
Summary: dev-lang/php: mod_php can overtake apache file handles (CVE-2003-1307)
Status: RESOLVED OBSOLETE
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
URL: http://bugs.php.net/bug.php?id=38915
Whiteboard: ?? [upstream]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-04-10 13:58 UTC by Christian Hoffmann (RETIRED)
Modified: 2016-06-21 10:17 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Christian Hoffmann (RETIRED) gentoo-dev 2008-04-10 13:58:04 UTC 
As noted in $URL, mod_php does not properly clean up Apache file handles before spawning sub-processes, such as when using the php functions system(), exec() etc. A malicious user could completely overtake port 80, for example. Manipulating log files would be another problem, I'd guess.

I'm filing this is a seperate bug as it does not look like we could expect any fix from upstream and working on our own could probably require some time.

The impact is still rather limited I'd say -- you are not supposed to use mod_php in shared hosting environments anyway.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-04-11 00:54:10 UTC 
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2003-1307 lists statements from php upstream and redhat. debian says this: http://security-tracker.debian.net/tracker/CVE-2003-1307
Comment 2 Christian Hoffmann (RETIRED) gentoo-dev 2009-12-17 07:30:45 UTC 
I highly doubt we will ever see a fix for that. I think we have to live with it. Unfixable design flaw, as Debian says.

Close as WONTFIX?
Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2010-10-07 22:32:47 UTC 
Yes.
Comment 4 Stefan Behte (RETIRED) gentoo-dev Security 2010-10-07 23:03:18 UTC 
I thought again about the reasons for this bug. As I researched this interesting issue, I found:
https://issues.apache.org/bugzilla/show_bug.cgi?id=46425

So it's fixed in apache. Unfortunately this is still exploitable with apache 2.2.16 / php 5.2.14 (http://hackerdom.ru/~dimmo/phpexpl.c). Wow! Sending the -CONT signal to apache will make it work again.

Maybe we better keep this open then. Sorry for the spam.
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2015-04-18 22:08:47 UTC 
Going through the PHP open bugs for security.

Is this one still valid from 2003?
Comment 6 Michael Orlitzky gentoo-dev 2015-04-18 23:47:06 UTC 
(In reply to Yury German from comment #5)
> Going through the PHP open bugs for security.
> 
> Is this one still valid from 2003?

Yeah, it still crashes apache-2.4.
Comment 7 Aaron Bauman (RETIRED) gentoo-dev 2016-04-04 12:56:59 UTC 
I am unable to reproduce this with the latest stable versions:

www-servers/apache-2.4.18

dev-lang/php-5.6.19

This is disputed upstream due to how Apache handles the file descriptors.

Anyone else able to reproduce on the latest tree stable versions?
Comment 8 Michael Orlitzky gentoo-dev 2016-04-04 13:40:56 UTC 
(In reply to Aaron Bauman from comment #7)
> I am unable to reproduce this with the latest stable versions:
> 
> www-servers/apache-2.4.18
> 
> dev-lang/php-5.6.19
> 
> This is disputed upstream due to how Apache handles the file descriptors.
> 
> Anyone else able to reproduce on the latest tree stable versions?

I wasn't able to reproduce it the last time I checked, but I forgot exactly what I tried in Comment #6. I'm also using a hardened kernel with a bunch of new security gadgets, so someone should at least try it on gentoo-sources.
Comment 9 Aaron Bauman (RETIRED) gentoo-dev 2016-06-21 10:17:04 UTC 
Tested this once again on gentoo-sources and vanilla-sources, and am unable to reproduce with any in tree Apache versions and PHP.  Please re-open if anyone is able to reproduce.