From: glen at delfi dot ee Operating system: PLD Linux PHP version: 5.1.0RC1 PHP Bug Type: CGI related Bug description: php-cli searches php.ini from current dir which can be abused
Description: ------------ php cli searches for php.ini from current dir, and when current directory appears to be world writable directory, then malicious user can put there php.ini loading malicious extension. php cli is used for example to install PEAR packages, and for PEAR install to succeed it needs to be run as root. Reproduce code: --------------- 1. create /tmp/php.ini containing [PHP] extension=/../../../tmp/malicious.so 2. create php extension and save it to /tmp/malicious.so 3. wait for root run any php-cli program in /tmp 4. your code in malicious.so gets executed. Expected result: ---------------- php should not read php.ini from arbitary locations, it should read it only from hardcoded paths, or one specified from commandline. Actual result: -------------- $ strace -eopen php -m open("/etc/ld.so.cache", O_RDONLY) = 6 open("/usr/lib/libphp_common-5.1.0RC1.so", O_RDONLY) = 6 open("/lib/libcrypt.so.1", O_RDONLY) = 6 open("/lib/libm.so.6", O_RDONLY) = 6 open("/lib/libz.so.1", O_RDONLY) = 6 open("/lib/libresolv.so.2", O_RDONLY) = 6 open("/lib/libpthread.so.0", O_RDONLY) = 6 open("/usr/lib/libxml2.so.2", O_RDONLY) = 6 open("/lib/libdl.so.2", O_RDONLY) = 6 open("/lib/libhistory.so.5", O_RDONLY) = 6 open("/lib/libreadline.so.5", O_RDONLY) = 6 open("/lib/libncurses.so.5", O_RDONLY) = 6 open("/lib/libc.so.6", O_RDONLY) = 6 open("/lib/libtinfo.so.5", O_RDONLY) = 6 open("/etc/localtime", O_RDONLY) = 6 open("/tmp/php.ini", O_RDONLY) = 6 open("/tmp/php-cli.ini", O_RDONLY) = -1 ENOENT (No such file or directory) open("/etc/php/php-cli.ini", O_RDONLY) = 6 open("/etc/php/conf.d", O_RDONLY|O_NONBLOCK|O_LARGEFILE| O_DIRECTORY) = 6 open("/etc/php/conf.d/pcre.ini", O_RDONLY) = 6 open("/etc/php/conf.d/xml.ini", O_RDONLY) = 6 open("/usr/lib/php//../../../tmp/malicious.so", O_RDONLY) = 6 open("/usr/lib/php/pcre.so", O_RDONLY) = 6 -- Edit bug report at http://bugs.php.net/?id=34793&edit=1 -- Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=34793&r=trysnapshot4 Try a CVS snapshot (php5.0): http://bugs.php.net/fix.php?id=34793&r=trysnapshot50 Try a CVS snapshot (php5.1): http://bugs.php.net/fix.php?id=34793&r=trysnapshot51 Fixed in CVS: http://bugs.php.net/fix.php?id=34793&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=34793&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=34793&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=34793&r=needscript Try newer version: http://bugs.php.net/fix.php?id=34793&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=34793&r=support Expected behavior: http://bugs.php.net/fix.php?id=34793&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=34793&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=34793&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=34793&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=34793&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=34793&r=dst IIS Stability: http://bugs.php.net/fix.php?id=34793&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=34793&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=34793&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=34793&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=34793&r=mysqlcfg