FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

suPHP -- Privilege escalation

Affected packages
suphp < 0.7.2

Details

VuXML ID 2fbfd455-f2d0-11e2-8a46-000d601460a4
Discovery 2013-05-20
Entry 2013-07-22

suPHP developer Sebastian Marsching reports:

When the suPHP_PHPPath was set, mod_suphp would use the specified PHP executable to pretty-print PHP source files (MIME type x-httpd-php-source or application/x-httpd-php-source).

However, it would not sanitize the environment. Thus a user that was allowed to use the SetEnv directive in a .htaccess file (AllowOverride FileInfo) could make PHP load a malicious configuration file (e.g. loading malicious extensions).

As the PHP process for highlighting the source file was run with the privileges of the user Apache HTTPd was running as, a local attacker could probably execute arbitrary code with the privileges of this user.

References

URL https://lists.marsching.com/pipermail/suphp/2013-May/002552.html