Package: apache2-mpm-itk Version: 2.2.22-13+deb7u1 Severity: grave Tags: security Justification: user security hole Dear Maintainer, I was setting up a new webhosting server using the latest Wheezy version, and in particular moving away from suexec/fcgid and to mpm-itk for performance reasons. During one of the tests with a php script containing just the line <?php print get_current_user() ?> I was shocked to discover that the return value was 'root' rather than 'testclient' because I'd created the file as root ('testclient' doesn't get a shell login) and the script's UID was set to the file owner rather than the explicitly stated AssignUserID testclient webclients. I ran a second test, this time placing the script in /var/www and adding 'AssignUserID www-data www-data' to /etc/apache2/sites-enabled/000-default, and observed the same behavior. I'm breaking my head over whether I might have made a mistake during configuration, but this is a near-pristine server setup -- and either I've done something very badly wrong or this is a serious security problem with mpm-itk, especially if someone can write a script in their webhosting docroot and then chown it to root. -- Package-specific info: List of enabled modules from 'apache2 -M': alias auth_basic authn_file authz_default authz_groupfile authz_host authz_user autoindex cgi deflate dir env evasive20 mime negotiation php5 reqtimeout setenvif status List of enabled php5 extensions: memcached pdo -- System Information: Debian Release: 7.4 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.13-0.bpo.1-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages apache2-mpm-itk depends on: ii apache2.2-bin 2.2.22-13+deb7u1 ii apache2.2-common 2.2.22-13+deb7u1 apache2-mpm-itk recommends no packages. apache2-mpm-itk suggests no packages. -- no debconf information
Attachment:
000-default
Description: inode/symlink