|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2006-05-03 13:18 UTC] iliaa@php.net
[2006-05-03 13:30 UTC] cim at compsoc dot dur dot ac dot uk
[2006-05-03 16:19 UTC] c dot i dot morris at durham dot ac dot uk
[2006-06-16 14:32 UTC] c dot i dot morris at durham dot ac dot uk
[2006-07-27 01:34 UTC] sniper@php.net
[2006-07-27 11:41 UTC] a dot d dot stribblehill at durham dot ac dot uk
[2007-08-20 10:19 UTC] vrana@php.net
[2007-08-20 10:37 UTC] jani@php.net
[2007-08-23 02:04 UTC] iliaa@php.net
|
|||||||||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Fri Oct 24 11:00:02 2025 UTC |
Description: ------------ [Filed in bug tracking system as stated in message to security@php.net on 25 April following no response to that message or the similar message on 31 March] Creation of symlinks in a user-specified directory allows creation and editing of any web-server writable file bypassing open_basedir and other safe-mode checks. PHP session creation allows any alphanumeric session id to be specified by the client by setting $_GET['PHPSESSID']. PHP then creates (or overwrites if it exists) a file called "sess_".session_id() in the directory specified in the session.save_path configuration option. When doing this, it does not check whether the session file is a real file or a symlink. Reproduce code: --------------- 1) Create a symlink named "sess_foo" in a directory owned by the script owner and within the open_basedir confines, to the file that will be overwritten with junk session data. The file to be overwritten must be webserver-writable but can be outside the open_basedir confines. Alternatively you can use a broken symlink to a web-server writable directory. 2) Make the following script: <?php ini_set("session.save_path","/path/where/sess_foo/symlink/is/"); session_start(); $_SESSION['bar'] = "bar"; session_write_close(); ?> 3) Call this script with ?PHPSESSID=foo Obviously for this to work, sessions must be enabled, setting session save paths must be allowed, the filesystem must support symbolic links (and the exploiting user must be able to create them, which will generally require shell access), and PHP must be running as an Apache module rather than as suexeced CGI. Expected result: ---------------- Some sort of error about invalid session data (or possibly just a silent refusal to use that session and the creation of a new session). PHP should check that the session file "sess_".session_id() either does not exist, or exists and is a real file rather than a symlink, before attempting to read from or write to it. Actual result: -------------- The file that is the target of the symlink will then be overwritten by the session data (assuming it is webserver-writable). This allows overwriting of any uploaded file, including those uploaded by other users. (If the symlink does not point to a real file, then the file will be created) Since the session data may be a valid file for certain formats (PHP scripts, for example), this has potential uses for cross-site scripting due to the bypassing of open_basedir. For example, storing "<?php print("foo"); ?>" as session data to a file exploit.php in another user's upload directory will cause that PHP code to be executed if it can be read via HTTP. This could be used for cookie stealing, etc. (Obviously some garbage due to the session storage format will also be printed, but this may not be a major problem)