From: c dot i dot morris at durham dot ac dot uk
Operating system: Linux
PHP version: 5.1.3
PHP Bug Type: Session related
Bug description: Symlinks and session handler allow open_basedir bypass
Description:
------------
[Filed in bug tracking system as stated in message to [EMAIL PROTECTED] on
25 April following no response to that message or the similar message on
31 March]
Creation of symlinks in a user-specified directory allows creation and
editing of any web-server writable file bypassing open_basedir and other
safe-mode checks.
PHP session creation allows any alphanumeric session id to be specified by
the client by setting $_GET['PHPSESSID']. PHP then creates (or overwrites
if it exists) a file called "sess_".session_id() in the directory
specified in the session.save_path configuration option.
When doing this, it does not check whether the session file is a real file
or a symlink.
Reproduce code:
---------------
1) Create a symlink named "sess_foo" in a directory owned by the script
owner and within the open_basedir confines, to the file that will be
overwritten with junk session data.
The file to be overwritten must be webserver-writable but can be outside
the open_basedir confines. Alternatively you can use a broken symlink to a
web-server writable directory.
2) Make the following script:
<?php
ini_set("session.save_path","/path/where/sess_foo/symlink/is/");
session_start();
$_SESSION['bar'] = "bar";
session_write_close();
?>
3) Call this script with ?PHPSESSID=foo
Obviously for this to work, sessions must be enabled, setting session save
paths must be allowed, the filesystem must support symbolic links (and the
exploiting user must be able to create them, which will generally require
shell access), and PHP must be running as an Apache module rather than as
suexeced CGI.
Expected result:
----------------
Some sort of error about invalid session data (or possibly just a silent
refusal to use that session and the creation of a new session). PHP should
check that the session file "sess_".session_id() either does not exist, or
exists and is a real file rather than a symlink, before attempting to read
from or write to it.
Actual result:
--------------
The file that is the target of the symlink will then be overwritten by the
session data (assuming it is webserver-writable). This allows overwriting
of any uploaded file, including those uploaded by other users.
(If the symlink does not point to a real file, then the file will be
created)
Since the session data may be a valid file for certain formats (PHP
scripts, for example), this has potential uses for cross-site scripting
due to the bypassing of open_basedir.
For example, storing "<?php print("foo"); ?>" as session data to a file
exploit.php in another user's upload directory will cause that PHP code to
be executed if it can be read via HTTP. This could be used for cookie
stealing, etc. (Obviously some garbage due to the session storage format
will also be printed, but this may not be a major problem)
--
Edit bug report at http://bugs.php.net/?id=37273&edit=1
--
Try a CVS snapshot (PHP 4.4):
http://bugs.php.net/fix.php?id=37273&r=trysnapshot44
Try a CVS snapshot (PHP 5.1):
http://bugs.php.net/fix.php?id=37273&r=trysnapshot51
Try a CVS snapshot (PHP 6.0):
http://bugs.php.net/fix.php?id=37273&r=trysnapshot60
Fixed in CVS: http://bugs.php.net/fix.php?id=37273&r=fixedcvs
Fixed in release:
http://bugs.php.net/fix.php?id=37273&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=37273&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=37273&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=37273&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=37273&r=support
Expected behavior: http://bugs.php.net/fix.php?id=37273&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=37273&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=37273&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=37273&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=37273&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=37273&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=37273&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=37273&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=37273&r=float
No Zend Extensions: http://bugs.php.net/fix.php?id=37273&r=nozend
MySQL Configuration Error: http://bugs.php.net/fix.php?id=37273&r=mysqlcfg
