From: c dot i dot morris at durham dot ac dot uk Operating system: Linux PHP version: 5.1.3 PHP Bug Type: Session related Bug description: Symlinks and session handler allow open_basedir bypass
Description: ------------ [Filed in bug tracking system as stated in message to [EMAIL PROTECTED] on 25 April following no response to that message or the similar message on 31 March] Creation of symlinks in a user-specified directory allows creation and editing of any web-server writable file bypassing open_basedir and other safe-mode checks. PHP session creation allows any alphanumeric session id to be specified by the client by setting $_GET['PHPSESSID']. PHP then creates (or overwrites if it exists) a file called "sess_".session_id() in the directory specified in the session.save_path configuration option. When doing this, it does not check whether the session file is a real file or a symlink. Reproduce code: --------------- 1) Create a symlink named "sess_foo" in a directory owned by the script owner and within the open_basedir confines, to the file that will be overwritten with junk session data. The file to be overwritten must be webserver-writable but can be outside the open_basedir confines. Alternatively you can use a broken symlink to a web-server writable directory. 2) Make the following script: <?php ini_set("session.save_path","/path/where/sess_foo/symlink/is/"); session_start(); $_SESSION['bar'] = "bar"; session_write_close(); ?> 3) Call this script with ?PHPSESSID=foo Obviously for this to work, sessions must be enabled, setting session save paths must be allowed, the filesystem must support symbolic links (and the exploiting user must be able to create them, which will generally require shell access), and PHP must be running as an Apache module rather than as suexeced CGI. Expected result: ---------------- Some sort of error about invalid session data (or possibly just a silent refusal to use that session and the creation of a new session). PHP should check that the session file "sess_".session_id() either does not exist, or exists and is a real file rather than a symlink, before attempting to read from or write to it. Actual result: -------------- The file that is the target of the symlink will then be overwritten by the session data (assuming it is webserver-writable). This allows overwriting of any uploaded file, including those uploaded by other users. (If the symlink does not point to a real file, then the file will be created) Since the session data may be a valid file for certain formats (PHP scripts, for example), this has potential uses for cross-site scripting due to the bypassing of open_basedir. For example, storing "<?php print("foo"); ?>" as session data to a file exploit.php in another user's upload directory will cause that PHP code to be executed if it can be read via HTTP. This could be used for cookie stealing, etc. (Obviously some garbage due to the session storage format will also be printed, but this may not be a major problem) -- Edit bug report at http://bugs.php.net/?id=37273&edit=1 -- Try a CVS snapshot (PHP 4.4): http://bugs.php.net/fix.php?id=37273&r=trysnapshot44 Try a CVS snapshot (PHP 5.1): http://bugs.php.net/fix.php?id=37273&r=trysnapshot51 Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=37273&r=trysnapshot60 Fixed in CVS: http://bugs.php.net/fix.php?id=37273&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=37273&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=37273&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=37273&r=needscript Try newer version: http://bugs.php.net/fix.php?id=37273&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=37273&r=support Expected behavior: http://bugs.php.net/fix.php?id=37273&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=37273&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=37273&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=37273&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=37273&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=37273&r=dst IIS Stability: http://bugs.php.net/fix.php?id=37273&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=37273&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=37273&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=37273&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=37273&r=mysqlcfg