#34793 [Opn->Bgs]: php-cli searches php.ini from current dir which can be abused

Sun, 09 Oct 2005 10:14:51 -0700 

 ID:               34793
 Updated by:       [EMAIL PROTECTED]
 Reported By:      glen at delfi dot ee
-Status:           Open
+Status:           Bogus
 Bug Type:         CGI related
 Operating System: PLD Linux
 PHP Version:      5.1.0RC1
 New Comment:

Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php




Previous Comments:
------------------------------------------------------------------------

[2005-10-09 18:13:31] glen at delfi dot ee

Description:
------------
php cli searches for php.ini from current dir, and when   
current directory appears to be world writable directory,   
then malicious user can put there php.ini loading malicious   
extension.   
   
php cli is used for example to install PEAR packages, and   
for PEAR install to succeed it needs to be run as root.   
 

Reproduce code:
---------------
1. create /tmp/php.ini containing 
[PHP]
extension=/../../../tmp/malicious.so
2. create php extension and save it to /tmp/malicious.so
3. wait for root run any php-cli program in /tmp
4. your code in malicious.so gets executed.

Expected result:
----------------
php should not read php.ini from arbitary locations, it 
should read it only from hardcoded paths, or one specified 
from commandline. 

Actual result:
--------------
  
$ strace -eopen php -m  
open("/etc/ld.so.cache", O_RDONLY)      = 6  
open("/usr/lib/libphp_common-5.1.0RC1.so", O_RDONLY) = 6  
open("/lib/libcrypt.so.1", O_RDONLY)    = 6  
open("/lib/libm.so.6", O_RDONLY)        = 6  
open("/lib/libz.so.1", O_RDONLY)        = 6  
open("/lib/libresolv.so.2", O_RDONLY)   = 6  
open("/lib/libpthread.so.0", O_RDONLY)  = 6  
open("/usr/lib/libxml2.so.2", O_RDONLY) = 6  
open("/lib/libdl.so.2", O_RDONLY)       = 6  
open("/lib/libhistory.so.5", O_RDONLY)  = 6  
open("/lib/libreadline.so.5", O_RDONLY) = 6  
open("/lib/libncurses.so.5", O_RDONLY)  = 6  
open("/lib/libc.so.6", O_RDONLY)        = 6  
open("/lib/libtinfo.so.5", O_RDONLY)    = 6  
open("/etc/localtime", O_RDONLY)        = 6  
open("/tmp/php.ini", O_RDONLY)          = 6  
open("/tmp/php-cli.ini", O_RDONLY)      = -1 ENOENT (No  
such file or directory)  
open("/etc/php/php-cli.ini", O_RDONLY)  = 6  
open("/etc/php/conf.d", O_RDONLY|O_NONBLOCK|O_LARGEFILE| 
O_DIRECTORY) = 6  
open("/etc/php/conf.d/pcre.ini", O_RDONLY) = 6  
open("/etc/php/conf.d/xml.ini", O_RDONLY) = 6  
open("/usr/lib/php//../../../tmp/malicious.so", O_RDONLY) =  
6  
open("/usr/lib/php/pcre.so", O_RDONLY)  = 6  
  


------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=34793&edit=1

Reply via email to