Sec Bug->Req #53495 [Opn]: PHP should fail if executed as superuser and php.ini is world-writeable

Mon, 20 May 2013 01:01:05 -0700 

Edit report at https://bugs.php.net/bug.php?id=53495&edit=1

 ID:                 53495
 Updated by:         s...@php.net
 Reported by:        marcel dot esser at gmail dot com
 Summary:            PHP should fail if executed as superuser and php.ini
                     is world-writeable
 Status:             Open
-Type:               Security
+Type:               Feature/Change Request
 Package:            PHP options/info functions
 Operating System:   UNIX-like
 PHP Version:        Irrelevant
 Block user comment: N
 Private report:     N



Previous Comments:
------------------------------------------------------------------------
[2011-03-19 01:54:24] geiss...@php.net

Personal opinion follows:

a) If such a check was to be included, there's no reason to special case it to 
root. Arbitrary code execution under whatever user is an issue.

b) There are plenty of other ways to escalate privileges if files are world-
writeable. Only checking for php.ini's perms would give a false sense for 
security, while checking for every single file read by php would be paranoid 
and 
a waste of time.

There's an easier fix: don't make files world-writeable.

(I don't see anything in this report that requires it to be private, so I'm 
removing the flag.)

------------------------------------------------------------------------
[2010-12-08 02:00:07] marcel dot esser at gmail dot com

Description:
------------
PHP should fail if executed as root, and if the currently used php.ini is world 
writable.

If php.ini is left world-writable, an attacker can auto-pretend or auto-append 
malicious code to execute when a script is invoked as root.

Test script:
---------------
marcel@kekeke:~$ sudo php test.php
I am executing as root!
hello

marcel@kekeke:~$ cat /etc/php5/php.ini | grep -i auto_prepend
auto_prepend_file = /tmp/malice.php

marcel@kekeke:~$ ls -lah /tmp/malice.php 
-rw-r--r-- 1 marcel marcel 40 Dec  8 00:58 /tmp/malice.php

marcel@kekeke:~$ ls -lah /etc/php5/php.ini 
-rw-rw-rw- 1 root root 67K Dec  8 00:57 /etc/php5/php.ini

marcel@kekeke:~$ cat test.php
<?php
echo "hello\n";


Expected result:
----------------
PHP should error out fatal, probably.

Actual result:
--------------
PHP runs the malicious code.


------------------------------------------------------------------------



-- 
Edit this bug report at https://bugs.php.net/bug.php?id=53495&edit=1

Reply via email to