[PHP-DOC] #37273 [Com]: Symlinks and session handler allow open_basedir bypass
by A Dot D Dot Stribblehill At Durham Dot Ac Dot Uk other posts by this author
Jul 27 2006 4:41AM messages near this date
[PHP-DOC] #38237 [NEW]: Add PHP5 Reflection* Class documentation to main "Function Reference" docs
|
[PHP-DOC] #37164 [Ana]: SNMP: snmp_set_oid_numeric_print does not behave as expected
ID: 37273
Comment by: a dot d dot stribblehill at durham dot ac dot uk
Reported By: c dot i dot morris at durham dot ac dot uk
Status: Open
Bug Type: Documentation problem
Operating System: Linux
PHP Version: 5.1.3
New Comment:
This is *not* a documentation bug: as the original report says, it is a
security vulnerability -- one that can and should be fixed in the code.
Previous Comments:
------------------------------------------------------------------------
[2006-07-27 01:34:11] sniper@[...].net
Reclassified. Ilia will give more info for whomever is going to
document this.
------------------------------------------------------------------------
[2006-06-16 14:32:37] c dot i dot morris at durham dot ac dot uk
For a possible solution to this, in ext/session/mod_files.c, the
ps_files_open function has:
data-> fd = VCWD_OPEN_MODE(buf, O_CREAT | O_RDWR | O_BINARY,
data-> filemode);
On systems that support O_NOFOLLOW (FreeBSD, Linux> =2.2, maybe others)
you can probably do
data-> fd = VCWD_OPEN_MODE(buf, O_CREAT | O_RDWR | O_BINARY |
O_NOFOLLOW,
data-> filemode);
which will cause this open to fail (with error ELOOP) if the session
file is a symlink rather than a regular file.
On systems that don't support O_NOFOLLOW, stat()ing the file and making
sure the file mode isn't S_IFLNK should do it.
Would you like me to try to put together a patch for this?
------------------------------------------------------------------------
[2006-05-03 16:19:05] c dot i dot morris at durham dot ac dot uk
As above - I managed to lose the bug password and it took a while to
come through to my email.
------------------------------------------------------------------------
[2006-05-03 13:30:53] cim at compsoc dot dur dot ac dot uk
Ah, there appears to be some confusion over what I mean. I don't mean
ini_set() the session directory to a symlink, I mean set the session
directory to a real directory (which, yes, must be within open_basedir
confines) that contains a symlink outside open_basedir.
(So, for example, open_basedir = /users/www1/, create a symlink from
/users/www1/bob/sess_abc to /users/www2/fred/target, ini_set() the
session storage directory to /users/www1/bob/, and then create a
session with ID 'abc' using ?PHPSESSID=abc)
Does that make more sense?
------------------------------------------------------------------------
[2006-05-03 13:18:04] iliaa@[...].net
The change of the INI setting for save_path is already being
validated against both safe_mode and open_basedir. If you try
to set them to a symlink pointing to an external file you will
get an error message like this:
Warning: ini_set(): open_basedir restriction in effect. File
(...) is not within the allowed path(s): (...)
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/37273
--
Edit this bug report at http://bugs.php.net/?id=37273&edit=1
|
