#42952 [Fbk-Opn]: soap cache file is created with insecure permissions on some configurations

2007-11-01 Thread glen at delfi dot ee 
 ID:   42952
 User updated by:  glen at delfi dot ee
 Reported By:  glen at delfi dot ee
-Status:   Feedback
+Status:   Open
 Bug Type: SOAP related
 Operating System: PLD Linux
 PHP Version:  5.2.4
 Assigned To:  dmitry
 New Comment:

Do you mean different SAPI's like CLI?

But different SAPI's have separate php.ini file, where they can 
define path suitable for them (writable).

And in fact i've done that in our distribution. So you consider this 
distribution related issue?


Previous Comments:


[2007-11-01 12:39:30] [EMAIL PROTECTED]

I am not sure it is a good patch.

The same WSDL files may be used by different users and your patch will
allow access to cache only to first user.



[2007-10-12 16:55:27] glen at delfi dot ee

here's patch to fix the problem:

http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/SOURCES/php-bug-42952.patch



[2007-10-12 16:53:01] glen at delfi dot ee

Description:

soap cache file is created with insecure permissions on some 
configurations:

-rw-rw-rw- 1 http http 67K Oct 12 19:10 
wsdl-cf39a31ae8dbd9b9899539495756434d

by default cache is enabled and cache directory is set to /tmp:
http://ee.php.net/manual/en/ref.soap.php

#ifdef ZEND_WIN32
f = open(fn,O_CREAT|O_WRONLY|O_EXCL|O_BINARY,S_IREAD|S_IWRITE);
#else
f = open(fn,O_CREAT|O_WRONLY|O_EXCL|O_BINARY,S_IREAD|S_IWRITE|
S_IROTH|S_IWOTH|S_IRGRP|S_IWGRP);
#endif

probably in shared enviroments somebody could replace cache file 
with evil content and cause soap requests to be sent to infectected 
webserver capturing user passwords logins, depending on application.

Reproduce code:
---
create sample wsdl.xml from:
http://www.roguewave.com/support/docs/leif/leif/html/soapworxug/A-1.html


$ (rm -f /tmp/wsdl-*; umask 0; strace -ff -eopen php -r '$s = new
SoapClient(/tmp/wsdl.xml);' 21|grep wsdl; ls -l /tmp/wsdl-*)

open(/tmp/wsdl-d3d4b363f5423ee77d7e0342af8881c7, O_RDONLY) = -1
ENOENT (No such file or directory)
open(/tmp/wsdl.xml, O_RDONLY) = 5
open(/tmp/wsdl-d3d4b363f5423ee77d7e0342af8881c7,
O_WRONLY|O_CREAT|O_EXCL, 0666) = 5
-rw-rw-rw- 1 glen glen 488 2007-10-12 19:50
/tmp/wsdl-d3d4b363f5423ee77d7e0342af8881c7







-- 
Edit this bug report at http://bugs.php.net/?id=42952edit=1

#42952 [Fbk-Opn]: soap cache file is created with insecure permissions on some configurations

2007-11-01 Thread glen at delfi dot ee 
 ID:   42952
 User updated by:  glen at delfi dot ee
 Reported By:  glen at delfi dot ee
-Status:   Feedback
+Status:   Open
 Bug Type: SOAP related
 Operating System: PLD Linux
 PHP Version:  5.2.4
 Assigned To:  dmitry
 New Comment:

So perhaps keep user id (getuid()) in the cache filename?


Previous Comments:


[2007-11-01 13:32:18] [EMAIL PROTECTED]

Even one SAPI in shared environment will have the same issue.
If you have several php-cgi processes with different UID, only one of
them will own the cache file, and all others won't be able to access it.



[2007-11-01 13:10:17] glen at delfi dot ee

Do you mean different SAPI's like CLI?

But different SAPI's have separate php.ini file, where they can 
define path suitable for them (writable).

And in fact i've done that in our distribution. So you consider this 
distribution related issue?



[2007-11-01 12:39:30] [EMAIL PROTECTED]

I am not sure it is a good patch.

The same WSDL files may be used by different users and your patch will
allow access to cache only to first user.



[2007-10-12 16:55:27] glen at delfi dot ee

here's patch to fix the problem:

http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/SOURCES/php-bug-42952.patch



[2007-10-12 16:53:01] glen at delfi dot ee

Description:

soap cache file is created with insecure permissions on some 
configurations:

-rw-rw-rw- 1 http http 67K Oct 12 19:10 
wsdl-cf39a31ae8dbd9b9899539495756434d

by default cache is enabled and cache directory is set to /tmp:
http://ee.php.net/manual/en/ref.soap.php

#ifdef ZEND_WIN32
f = open(fn,O_CREAT|O_WRONLY|O_EXCL|O_BINARY,S_IREAD|S_IWRITE);
#else
f = open(fn,O_CREAT|O_WRONLY|O_EXCL|O_BINARY,S_IREAD|S_IWRITE|
S_IROTH|S_IWOTH|S_IRGRP|S_IWGRP);
#endif

probably in shared enviroments somebody could replace cache file 
with evil content and cause soap requests to be sent to infectected 
webserver capturing user passwords logins, depending on application.

Reproduce code:
---
create sample wsdl.xml from:
http://www.roguewave.com/support/docs/leif/leif/html/soapworxug/A-1.html


$ (rm -f /tmp/wsdl-*; umask 0; strace -ff -eopen php -r '$s = new
SoapClient(/tmp/wsdl.xml);' 21|grep wsdl; ls -l /tmp/wsdl-*)

open(/tmp/wsdl-d3d4b363f5423ee77d7e0342af8881c7, O_RDONLY) = -1
ENOENT (No such file or directory)
open(/tmp/wsdl.xml, O_RDONLY) = 5
open(/tmp/wsdl-d3d4b363f5423ee77d7e0342af8881c7,
O_WRONLY|O_CREAT|O_EXCL, 0666) = 5
-rw-rw-rw- 1 glen glen 488 2007-10-12 19:50
/tmp/wsdl-d3d4b363f5423ee77d7e0342af8881c7







-- 
Edit this bug report at http://bugs.php.net/?id=42952edit=1