Bug#598903: make php options more restrective

Sat, 02 Oct 2010 16:45:22 -0700 

Package: phpmyadmin
Version: 4:2.11.8.1-5+lenny6
Severity: wishlist

Hi,

would you add these options to the default settings of Apache's config
for phpmyadmin? I'm running phpmyadmin with these options set and don't
have any problems. Phpmyadmin uses not the PHP features url fopen or one
of the functions to run a shell function or opening a socket to the
outside. To make the live for bad boys harder they misuse functions of
phpmyadmin, I think these features should be disabled. Also the
restriction of open_basedir would be helpful.

diff --git a/phpmyadmin/apache.conf b/phpmyadmin/apache.conf
index 8c51ef4..16d5d49 100644
--- a/phpmyadmin/apache.conf
+++ b/phpmyadmin/apache.conf
@@ -32,6 +32,11 @@ Alias /phpmyadmin /usr/share/phpmyadmin
                php_value display_errors Off
                php_flag log_errors On
                php_flag html_errors Off
+               php_admin_flag allow_url_fopen Off
+               php_admin_flag safe_mode On
+               php_admin_value upload_tmp_dir /tmp
+               php_admin_value open_basedir 
/usr/share/phpmyadmin/:/etc/phpmyadmin/:/var/lib/phpmyadmin/:/tmp/
+               php_admin_value disable_functions 
exec,passthru,popen,proc_open,shell_exec,system,socket_create,fsockopen,pfsockopen
        </IfModule>
        <IfModule mod_php5.c>
                AddType application/x-httpd-php .php
@@ -43,6 +48,11 @@ Alias /phpmyadmin /usr/share/phpmyadmin
                php_value display_errors Off
                php_flag log_errors On
                php_flag html_errors Off
+               php_admin_flag allow_url_fopen Off
+               php_admin_flag safe_mode On
+               php_admin_value upload_tmp_dir /tmp
+               php_admin_value open_basedir 
/usr/share/phpmyadmin/:/etc/phpmyadmin/:/var/lib/phpmyadmin/:/tmp/
+               php_admin_value disable_functions 
exec,passthru,popen,proc_open,shell_exec,system,socket_create,fsockopen,pfsockopen
        </IfModule>
 </Directory>
 

Bye, Jörg.

-- System Information:
Debian Release: unstable/experimental
  APT prefers unstable
  APT policy: (900, 'unstable'), (700, 'experimental')
Architecture: powerpc (ppc)

Kernel: Linux 2.6.36-rc5+
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Attachment: signature.asc
Description: Digital signature http://en.wikipedia.org/wiki/OpenPGP

Reply via email to