0

I'm trying to get PCI compliant and the PCI scanning company is flagging our Ubuntu 12.04.3 (PHP 5.3.10-1ubuntu3.8) for CVE-2013-1635 [1] which says "we do not support the use of open_basedir". What exactly is meant by that? I still see references to the both directives in the php.ini file and the PCI company is saying that Canonical has not "addressed" the issue. Any suggestions?

[1] http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-1635.html

JSP
  • 533
  • 1
  • 4
  • 6
  • 1
    Why are you using open_basedir? – Michael Hampton Oct 07 '13 at 22:42
  • 1
    If your configuration is not using `open_basedir` then this 'issue' doesn't really matter for you. open_basedir has so frequently been found to be a problem that most vendors/maintainers/people have simply given up on it, and use alternatives that actually work. – Zoredache Oct 07 '13 at 22:54
  • To my knowledge we aren't "using" open_basedir... its commented out. I kind of agree with the PCI vendor then. Commenting out the directive (and leaving the vulnerability) doesn't seem like much of a fix. The code referenced leads me to believe it's more then just commenting out a configuration directive though. – JSP Oct 08 '13 at 00:34
  • In that case, you tell them you aren't using open_basedir and get on with life. – Michael Hampton Oct 10 '13 at 19:30

2 Answers2

0

The sample config file for php has a more detailed explanation:

; open_basedir, if set, limits all file operations to the defined directory
; and below.  This directive makes most sense if used in a per-directory
; or per-virtualhost web server configuration file. This directive is
; *NOT* affected by whether Safe Mode is turned On or Off.

; NOTE: this is considered a "broken" security measure.
;       Applications relying on this feature will not recieve full
;       support by the security team.  For more information please
;       see /usr/share/doc/php5-common/README.Debian.security

If you are not using the open_basedir feature, the vulnerability will not affect you and is of no concern. Just as the "password bruteforce" vulnerability would not affect you if you have sufficiently secure user passwords.

Note that other security teams also have decided "not to address" this issue as the open_basedir directive is not considered to be a properly implemented security feature:

https://bugzilla.redhat.com/show_bug.cgi?id=169857#c1

This bug will be used as a meta-bug for tracking PHP "safe"-mode/open_basedir issues, which will in general not be fixed in updates for Red Hat Enterprise Linux of the PHP package.

the-wabbit
  • 40,737
  • 13
  • 111
  • 174
-1

The openbase_dir can cause issues and security vulnerabilities specifically when bugs have been report and they need to be fixed. You should comment out this directive in php.ini or consider some other operating system as this is ubuntu specific issue. I suggest you better use centOS. Consult your developer if this directive is not required better comment it out in php.ini.

user105566
  • 29
  • 1
  • 5
  • This is in no way an Ubuntu-specific issue. Especially RHEL (and thus CentOS as well) has taken the same approach - see my answer. – the-wabbit Oct 10 '13 at 20:49