Hi all,
Please find a patch attached which makes it possible to have secure
suexec CGI / FastCGI PHP scripts without using safe_mode (note that this
configuration is currently widely used, for example by shared web hosts,
but there is no way to make it secure with an unpatched PHP version).
For further discussion of the security flaw this allows administrators
to correct, please see my Bugtraq post:
* http://www.securityfocus.com/archive/1/500850
I have made the patch against 5.2.8, but cgi_main.c hasn't changed much
on any branch since then, so if it doesn't apply cleanly to the HEAD, it
won't take much effort to make it apply.
I realise that this adds extra INI variables for security protection
which is unfashionable of late, but it is really a different class of
security protection compared to safe mode et. al. This patch merely
allows admins to close a security hole in which script is initially
executed when calling from suexec, rather than trying to restrict what
the script can do once it is run. As such, this patch makes it easier to
safely rely on the operating system to provide security, and reduces the
reliance on safe mode style features.
I think having the ability to safely run PHP from suexec FastCGI
environments is very important for many key applications, such as shared
web-hosting, as these environments need the combination of scripts
running under individual user accounts, and high performance. Many
shared hosting environments already use this type of setup, albeit
insecurely.
Best regards,
Andrew Miller