Package: libapache2-mod-php Version: 2:8.2+93 Severity: normal Tags: patch security X-Debbugs-Cc: tma...@gmail.com, Debian Security Team <t...@security.debian.org>
This applies to all currently available versions (goes back to initial commit of php.conf). The php.conf distributed disables the php engine for userdirs, but does not block php files from being served from them. This causes a default install to serve the php source as plaintext. Since many common php webapps still keep passwords in *.inc.php config files inside web accessible dirs, this allows those passwords and other config data to be accessed by anyone requesting the proper url. This happened to me while doing a debootsrap upgrade/install to a chroot lvm: my previously working php app started up in the new version serving plaintext php source from apps in my userdir, while non-userdir php was working as before. I consider this a bug since this package intentionally changes the otherwise configured state as a "security" issue to prevent rogue php run in userdirs, while in the same file preventing raw php source from being served (line 8). There are very few reasons to directly serve php files as plaintext. A simple fix is to add a filesmatch directive to the existing directory directive to block serving the files the directive has changed handling of. Patch below is also applied to the debian/main/7.2 branch of the fork in salsa/git I created (should work for all versions since the file has no changes up to current): https://salsa.debian.org/tmack0/php.git PATCH: diff --git a/debian/php.conf b/debian/php.conf index d4df3e5f7..df24ab139 100644 --- a/debian/php.conf +++ b/debian/php.conf @@ -17,9 +17,16 @@ # # To re-enable PHP in user directories comment the following lines # (from <IfModule ...> to </IfModule>.) Do NOT set it to On as it -# prevents .htaccess files from disabling it. +# prevents .htaccess files from disabling it. This also disables +# serving the files, as the webserver would otherwise serve them +# as plaintext, and many software packages still put passwords in +# .php files. Comment out or remove the FilesMatch directive if +# you really want to serve php as plaintext from user dirs. <IfModule mod_userdir.c> <Directory /home/*/public_html> php_admin_flag engine Off + <FilesMatch "\.ph(ar|p|ps|tml)$"> + Require all denied + </FilesMatch> </Directory> </IfModule> -- System Information: Debian Release: 12.5 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 6.1.0-18-amd64 (SMP w/2 CPU threads; PREEMPT) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages libapache2-mod-php depends on: ii libapache2-mod-php8.2 8.2.7-1~deb12u1 libapache2-mod-php recommends no packages. libapache2-mod-php suggests no packages. -- no debconf information
