Issue with @inspectFile CGI environment variable PATH_TRANSLATED

[TobiasGrave]

ModSecurity for Apache 2 sets CGI environment variable "PATH_TRANSLATED" to the file upload approver script name when using inspectFile. This breaks file upoloads for some popular PHP applications (e.g. Typo3), because this variable is also passed to the PHP process that handles the file upload.

It seems that this variable is usually unset for PHP, so I have commented out the following lines in apache2/apache2_util.c:

/* PHP hack, getting around its silly security checks. */
apr_table_add(r->subprocess_env, "PATH_TRANSLATED", command);
apr_table_add(r->subprocess_env, "REDIRECT_STATUS", "302");

This seems to fix this issue for me, file uploads and the approver script still work as expected with PHP in both CGI and FastCGI mode (tested with PHP 5.2, 5.3, 5.5 and 5.6).

This variable has been added in 2003 to fix an issue with PHP: http://blog.modsecurity.org/2003/07/fun-with-php-cl.html

I'm not sure if it is safe to remove this, my guess is that it has been added to allow inspectFile and exec to run PHP-scripts, because PHP thinks it is running in CGI mode when CGI environment varaibles are present, and then a security check would fail if PATH_TRANSLATED is not set to the PHP script name.

[zimmerle]

Hi @TobiasGrave, Thanks for the report. This requires further investigation. Those variables may not be needed any longer, or may not be needed in your specific case. It means that we can remove this code or have a configuration directive to enable/disable it. I will mark this as new feature so we can discuss what to do.

[azurit]

Any news on this? This is still an issue in version 2.9.3 (file uploads are still broken with typo3).

[azurit]

This should be considered also as a security problem as this information can be used to detect modsecurity and anti-virus software (i was really wondered how typo3 get to the script name and path used to run antivirus..).

[azurit]

Is it safe (or relatively safe) to remove lines mentioned in the original issue text?

[TobiasGrave]

The 2 problematic code lines were added in the year 2003 to fix an issue with file upload approver scripts written in PHP. As far as I understand, the problem was that PHP versions prior to 4.3.0 only had a single PHP binary for CGI and CLI mode, and CGI mode was activated automatically if CGI environment variables were present. Apache automatically sets CGI enviroment variables, so a file upload approver script that uses a PHP version prior to 4.3.0 would always run in CGI mode. It seems that PHP in CGI mode has some security checks and refuses to run if the executed script file name does not match the according CGI enviroment variables, so that a file upload approver script written in PHP would always fail. To overcome this issue, Modsecurity modifies these 2 CGI enviroment variables. However, this modification remains when a CGI script is executed later to handle the upload file, causing other problems like this one with file uploads in Typo3.

Maybe a simple example helps to better understand the problem:

Say we have a file upload form that uses a POST request to a PHP CGI script named upload.php that resides in the directory /var/www and the following ModSecurity rule:

SecRule FILES_TMPNAMES "@inspectFile /usr/bin/inspect.php" "deny,status:403,id:123456789,log,msg:'Malicous file upload'"

Before the upload is processed by upload.php, the approver script is executed with the modified CGI enviroment variables, so that PATH_TRANSLATED is changed from /var/www/upload.php to /usr/bin/inspect.php. This change remains when the approver accepts the upload file and the CGI script upload.php is executed. This leads to a problem if for some reason upload.php expects PATH_TRANSLATED to point to itself.

A simple solution would be to drop these lines altogether, because the affected PHP versions are completely outdated (support for PHP 4.2 ended 17 years ago). Otherwise one would have to store the original values of both environment variables and restore them after executing the file upload approver script.