[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: release critical bug in apache2.2?

On Thu, Nov 02, 2006 at 07:20:12PM +0100, Mike Hommey wrote:
> On Thu, Nov 02, 2006 at 03:32:39PM +0100, Bastian Venthur <expires-2007@venthur.de> wrote:
> > Hi
> > 
> > I've just upgraded #393913 from minor to important.
> > 
> >  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=393913
> > 
> > Somebody just mailed me that this bug is release critical since it
> > allows to read/download php-scripts (like index.php).
> > 
> > Can somebody confirm that this bug is RC or should I just keep it important?
> DirectoryIndex tells apache which file(s) it may use when the url points
> to a directory, instead of creating an index of the directory itself, if
> allowed to.
> The default value for DirectoryIndex is index.html, which
> obviously forgets index.php. But that doesn't mean index.php will be
> readable as source. It only means that the auto index will be displayed
> if no index.html is present and if allowed to.
> Auto-indexes are enabled only in /var/www/apache2-default and
> /usr/share/apache2/icons by default, so it is not likely to leak any
> unexpected file list.
> So no, that doesn't grant an RC bug for these reasons.
> On the other hand, it breaks configurations that used to work... (sites
> relying on this index.php setting will get 403 errors after upgrade from
> 2.0)

I remember that since the change, I had to make changes to several php
applications, because at the same time the default configuration did not
include any configuration in the case where php is not installed as
module but (e.g.) as CGI. phpmyadmin by default had a snippet in
.htaccess that was basically:
    <IfModule mod_cgi.c>
        AddType application/x-httpd-php .php

        Action application/x-httpd-php /cgi-bin/php
    <IfModule mod_cgid.c>
        AddType application/x-httpd-php .php

        Action application/x-httpd-php /cgi-bin/php

I had to put something of the same sort in phppgaccess, for example, as
well as DirectoryIndex index.php.

Since the change for DirectoryIndex happend at the same time, it might
be this that the user has seen. So the disappearance of index.php may
not be RC; however, the treatement of php as CGI is more likely to be

Reply to: