Hi, Moritz Muehlenhoff wrote: > ------------------------------------------------------------------------ > Debian Security Advisory DSA-1550-1 [EMAIL PROTECTED] > http://www.debian.org/security/ Moritz Muehlenhoff > April 17, 2008 http://www.debian.org/security/faq > ------------------------------------------------------------------------ > > Package : suphp > Vulnerability : programming error > Problem type : local > Debian-specific: no > CVE Id(s) : CVE-2008-1614 > Debian Bug : 475431 > > It was discovered that suphp, an Apache module to run PHP scripts with > owner permissions handles symlinks insecurely, which may lead to > privilege escalation by local users.
I upgraded the package as suggested, but it broke my setup. For what it's worth, I have a virtualhost whose documentroot is /var/www/foo. That directory is owned by user foo. Under this one, I have a directory /var/www/foo/bar, that contains a script index.php, both being owned by user bar. (This web site is composed of several branches, managed by different people.) With the new suphp, apache refuses to serve /var/www/foo/bar/index.php because /var/www/foo is not owned by the script's owner. Looking at the diff between 0.6.2-1 and 0.6.2-1+etch0, it looks like the new suPHP::Application::checkParentDirectories function is responsible for this new behaviour. Since, my setup involves no symlink at all, I think this check exceeds what is required to fix the security flaw. Would it be possible to fix this behaviour? Cheers, Nicolas Boullis -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
