As noted in $URL, mod_php does not properly clean up Apache file handles before spawning sub-processes, such as when using the php functions system(), exec() etc. A malicious user could completely overtake port 80, for example. Manipulating log files would be another problem, I'd guess. I'm filing this is a seperate bug as it does not look like we could expect any fix from upstream and working on our own could probably require some time. The impact is still rather limited I'd say -- you are not supposed to use mod_php in shared hosting environments anyway.
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2003-1307 lists statements from php upstream and redhat. debian says this: http://security-tracker.debian.net/tracker/CVE-2003-1307
I highly doubt we will ever see a fix for that. I think we have to live with it. Unfixable design flaw, as Debian says. Close as WONTFIX?
Yes.
I thought again about the reasons for this bug. As I researched this interesting issue, I found: https://issues.apache.org/bugzilla/show_bug.cgi?id=46425 So it's fixed in apache. Unfortunately this is still exploitable with apache 2.2.16 / php 5.2.14 (http://hackerdom.ru/~dimmo/phpexpl.c). Wow! Sending the -CONT signal to apache will make it work again. Maybe we better keep this open then. Sorry for the spam.
Going through the PHP open bugs for security. Is this one still valid from 2003?
(In reply to Yury German from comment #5) > Going through the PHP open bugs for security. > > Is this one still valid from 2003? Yeah, it still crashes apache-2.4.
I am unable to reproduce this with the latest stable versions: www-servers/apache-2.4.18 dev-lang/php-5.6.19 This is disputed upstream due to how Apache handles the file descriptors. Anyone else able to reproduce on the latest tree stable versions?
(In reply to Aaron Bauman from comment #7) > I am unable to reproduce this with the latest stable versions: > > www-servers/apache-2.4.18 > > dev-lang/php-5.6.19 > > This is disputed upstream due to how Apache handles the file descriptors. > > Anyone else able to reproduce on the latest tree stable versions? I wasn't able to reproduce it the last time I checked, but I forgot exactly what I tried in Comment #6. I'm also using a hardened kernel with a bunch of new security gadgets, so someone should at least try it on gentoo-sources.
Tested this once again on gentoo-sources and vanilla-sources, and am unable to reproduce with any in tree Apache versions and PHP. Please re-open if anyone is able to reproduce.