ID: 34793 Comment by: adamg at agmk dot net Reported By: glen at delfi dot ee Status: Open Bug Type: Feature/Change Request Operating System: PLD Linux PHP Version: 5.1.0RC1 New Comment:
I believe this behaviour is wrong and PHP should be fixed not to look for php.ini in the current directory for the reasons described by glen. Ideally (as I see it) is a fixed location in /etc and (optionally) in home dir of user running the script. Why do you think this bug report is bogus? What are the reasons for keeping such behaviour? Previous Comments: ------------------------------------------------------------------------ [2005-10-10 00:05:36] glen at delfi dot ee in fact i know that documentation says so. but that doesn't mean it supposed to be like this? can't you at least consider securing it, by adding some option to enable/disable this? so i changed category to feature request! ------------------------------------------------------------------------ [2005-10-09 19:14:38] [EMAIL PROTECTED] Thank you for taking the time to write to us, but this is not a bug. Please double-check the documentation available at http://www.php.net/manual/ and the instructions on how to report a bug at http://bugs.php.net/how-to-report.php ------------------------------------------------------------------------ [2005-10-09 18:13:31] glen at delfi dot ee Description: ------------ php cli searches for php.ini from current dir, and when current directory appears to be world writable directory, then malicious user can put there php.ini loading malicious extension. php cli is used for example to install PEAR packages, and for PEAR install to succeed it needs to be run as root. Reproduce code: --------------- 1. create /tmp/php.ini containing [PHP] extension=/../../../tmp/malicious.so 2. create php extension and save it to /tmp/malicious.so 3. wait for root run any php-cli program in /tmp 4. your code in malicious.so gets executed. Expected result: ---------------- php should not read php.ini from arbitary locations, it should read it only from hardcoded paths, or one specified from commandline. Actual result: -------------- $ strace -eopen php -m open("/etc/ld.so.cache", O_RDONLY) = 6 open("/usr/lib/libphp_common-5.1.0RC1.so", O_RDONLY) = 6 open("/lib/libcrypt.so.1", O_RDONLY) = 6 open("/lib/libm.so.6", O_RDONLY) = 6 open("/lib/libz.so.1", O_RDONLY) = 6 open("/lib/libresolv.so.2", O_RDONLY) = 6 open("/lib/libpthread.so.0", O_RDONLY) = 6 open("/usr/lib/libxml2.so.2", O_RDONLY) = 6 open("/lib/libdl.so.2", O_RDONLY) = 6 open("/lib/libhistory.so.5", O_RDONLY) = 6 open("/lib/libreadline.so.5", O_RDONLY) = 6 open("/lib/libncurses.so.5", O_RDONLY) = 6 open("/lib/libc.so.6", O_RDONLY) = 6 open("/lib/libtinfo.so.5", O_RDONLY) = 6 open("/etc/localtime", O_RDONLY) = 6 open("/tmp/php.ini", O_RDONLY) = 6 open("/tmp/php-cli.ini", O_RDONLY) = -1 ENOENT (No such file or directory) open("/etc/php/php-cli.ini", O_RDONLY) = 6 open("/etc/php/conf.d", O_RDONLY|O_NONBLOCK|O_LARGEFILE| O_DIRECTORY) = 6 open("/etc/php/conf.d/pcre.ini", O_RDONLY) = 6 open("/etc/php/conf.d/xml.ini", O_RDONLY) = 6 open("/usr/lib/php//../../../tmp/malicious.so", O_RDONLY) = 6 open("/usr/lib/php/pcre.so", O_RDONLY) = 6 ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=34793&edit=1