ID: 34793 User updated by: glen at delfi dot ee Reported By: glen at delfi dot ee -Status: Bogus +Status: Open -Bug Type: CGI related +Bug Type: Feature/Change Request Operating System: PLD Linux PHP Version: 5.1.0RC1 New Comment:
in fact i know that documentation says so. but that doesn't mean it supposed to be like this? can't you at least consider securing it, by adding some option to enable/disable this? so i changed category to feature request! Previous Comments: ------------------------------------------------------------------------ [2005-10-09 19:14:38] [EMAIL PROTECTED] Thank you for taking the time to write to us, but this is not a bug. Please double-check the documentation available at http://www.php.net/manual/ and the instructions on how to report a bug at http://bugs.php.net/how-to-report.php ------------------------------------------------------------------------ [2005-10-09 18:13:31] glen at delfi dot ee Description: ------------ php cli searches for php.ini from current dir, and when current directory appears to be world writable directory, then malicious user can put there php.ini loading malicious extension. php cli is used for example to install PEAR packages, and for PEAR install to succeed it needs to be run as root. Reproduce code: --------------- 1. create /tmp/php.ini containing [PHP] extension=/../../../tmp/malicious.so 2. create php extension and save it to /tmp/malicious.so 3. wait for root run any php-cli program in /tmp 4. your code in malicious.so gets executed. Expected result: ---------------- php should not read php.ini from arbitary locations, it should read it only from hardcoded paths, or one specified from commandline. Actual result: -------------- $ strace -eopen php -m open("/etc/ld.so.cache", O_RDONLY) = 6 open("/usr/lib/libphp_common-5.1.0RC1.so", O_RDONLY) = 6 open("/lib/libcrypt.so.1", O_RDONLY) = 6 open("/lib/libm.so.6", O_RDONLY) = 6 open("/lib/libz.so.1", O_RDONLY) = 6 open("/lib/libresolv.so.2", O_RDONLY) = 6 open("/lib/libpthread.so.0", O_RDONLY) = 6 open("/usr/lib/libxml2.so.2", O_RDONLY) = 6 open("/lib/libdl.so.2", O_RDONLY) = 6 open("/lib/libhistory.so.5", O_RDONLY) = 6 open("/lib/libreadline.so.5", O_RDONLY) = 6 open("/lib/libncurses.so.5", O_RDONLY) = 6 open("/lib/libc.so.6", O_RDONLY) = 6 open("/lib/libtinfo.so.5", O_RDONLY) = 6 open("/etc/localtime", O_RDONLY) = 6 open("/tmp/php.ini", O_RDONLY) = 6 open("/tmp/php-cli.ini", O_RDONLY) = -1 ENOENT (No such file or directory) open("/etc/php/php-cli.ini", O_RDONLY) = 6 open("/etc/php/conf.d", O_RDONLY|O_NONBLOCK|O_LARGEFILE| O_DIRECTORY) = 6 open("/etc/php/conf.d/pcre.ini", O_RDONLY) = 6 open("/etc/php/conf.d/xml.ini", O_RDONLY) = 6 open("/usr/lib/php//../../../tmp/malicious.so", O_RDONLY) = 6 open("/usr/lib/php/pcre.so", O_RDONLY) = 6 ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=34793&edit=1