From: glen at delfi dot ee
Operating system: PLD Linux
PHP version: 5.1.0RC1
PHP Bug Type: CGI related
Bug description: php-cli searches php.ini from current dir which can be abused
Description:
------------
php cli searches for php.ini from current dir, and when
current directory appears to be world writable directory,
then malicious user can put there php.ini loading malicious
extension.
php cli is used for example to install PEAR packages, and
for PEAR install to succeed it needs to be run as root.
Reproduce code:
---------------
1. create /tmp/php.ini containing
[PHP]
extension=/../../../tmp/malicious.so
2. create php extension and save it to /tmp/malicious.so
3. wait for root run any php-cli program in /tmp
4. your code in malicious.so gets executed.
Expected result:
----------------
php should not read php.ini from arbitary locations, it
should read it only from hardcoded paths, or one specified
from commandline.
Actual result:
--------------
$ strace -eopen php -m
open("/etc/ld.so.cache", O_RDONLY) = 6
open("/usr/lib/libphp_common-5.1.0RC1.so", O_RDONLY) = 6
open("/lib/libcrypt.so.1", O_RDONLY) = 6
open("/lib/libm.so.6", O_RDONLY) = 6
open("/lib/libz.so.1", O_RDONLY) = 6
open("/lib/libresolv.so.2", O_RDONLY) = 6
open("/lib/libpthread.so.0", O_RDONLY) = 6
open("/usr/lib/libxml2.so.2", O_RDONLY) = 6
open("/lib/libdl.so.2", O_RDONLY) = 6
open("/lib/libhistory.so.5", O_RDONLY) = 6
open("/lib/libreadline.so.5", O_RDONLY) = 6
open("/lib/libncurses.so.5", O_RDONLY) = 6
open("/lib/libc.so.6", O_RDONLY) = 6
open("/lib/libtinfo.so.5", O_RDONLY) = 6
open("/etc/localtime", O_RDONLY) = 6
open("/tmp/php.ini", O_RDONLY) = 6
open("/tmp/php-cli.ini", O_RDONLY) = -1 ENOENT (No
such file or directory)
open("/etc/php/php-cli.ini", O_RDONLY) = 6
open("/etc/php/conf.d", O_RDONLY|O_NONBLOCK|O_LARGEFILE|
O_DIRECTORY) = 6
open("/etc/php/conf.d/pcre.ini", O_RDONLY) = 6
open("/etc/php/conf.d/xml.ini", O_RDONLY) = 6
open("/usr/lib/php//../../../tmp/malicious.so", O_RDONLY) =
6
open("/usr/lib/php/pcre.so", O_RDONLY) = 6
--
Edit bug report at http://bugs.php.net/?id=34793&edit=1
--
Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=34793&r=trysnapshot4
Try a CVS snapshot (php5.0):
http://bugs.php.net/fix.php?id=34793&r=trysnapshot50
Try a CVS snapshot (php5.1):
http://bugs.php.net/fix.php?id=34793&r=trysnapshot51
Fixed in CVS: http://bugs.php.net/fix.php?id=34793&r=fixedcvs
Fixed in release: http://bugs.php.net/fix.php?id=34793&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=34793&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=34793&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=34793&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=34793&r=support
Expected behavior: http://bugs.php.net/fix.php?id=34793&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=34793&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=34793&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=34793&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=34793&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=34793&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=34793&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=34793&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=34793&r=float
No Zend Extensions: http://bugs.php.net/fix.php?id=34793&r=nozend
MySQL Configuration Error: http://bugs.php.net/fix.php?id=34793&r=mysqlcfg
