php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #42952 soap cache file is created with insecure permissions on some configurations
Submitted: 2007-10-12 16:53 UTC Modified: 2007-11-23 10:06 UTC
From: glen at delfi dot ee Assigned: dmitry (profile)
Status: Closed Package: SOAP related
PHP Version: 5.2.4 OS: PLD Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
 [2007-10-12 16:53 UTC] glen at delfi dot ee 
Description:
------------
soap cache file is created with insecure permissions on some 
configurations:

-rw-rw-rw- 1 http http 67K Oct 12 19:10 
wsdl-cf39a31ae8dbd9b9899539495756434d

by default cache is enabled and cache directory is set to /tmp:
http://ee.php.net/manual/en/ref.soap.php

#ifdef ZEND_WIN32
    f = open(fn,O_CREAT|O_WRONLY|O_EXCL|O_BINARY,S_IREAD|S_IWRITE);
#else
    f = open(fn,O_CREAT|O_WRONLY|O_EXCL|O_BINARY,S_IREAD|S_IWRITE|
S_IROTH|S_IWOTH|S_IRGRP|S_IWGRP);
#endif

probably in shared enviroments somebody could replace cache file 
with evil content and cause soap requests to be sent to infectected 
webserver capturing user passwords logins, depending on application.

Reproduce code:
---------------
create sample wsdl.xml from:
http://www.roguewave.com/support/docs/leif/leif/html/soapworxug/A-1.html


$ (rm -f /tmp/wsdl-*; umask 0; strace -ff -eopen php -r '$s = new SoapClient("/tmp/wsdl.xml");' 2>&1|grep wsdl; ls -l /tmp/wsdl-*)

open("/tmp/wsdl-d3d4b363f5423ee77d7e0342af8881c7", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/tmp/wsdl.xml", O_RDONLY)         = 5
open("/tmp/wsdl-d3d4b363f5423ee77d7e0342af8881c7", O_WRONLY|O_CREAT|O_EXCL, 0666) = 5
-rw-rw-rw- 1 glen glen 488 2007-10-12 19:50 /tmp/wsdl-d3d4b363f5423ee77d7e0342af8881c7

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-10-12 16:55 UTC] glen at delfi dot ee 
here's patch to fix the problem:

http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/SOURCES/php-bug-42952.patch
 [2007-11-01 12:39 UTC] dmitry@php.net 
I am not sure it is a good patch.

The same WSDL files may be used by different users and your patch will allow access to cache only to first user.
 [2007-11-01 13:10 UTC] glen at delfi dot ee 
Do you mean different SAPI's like CLI?

But different SAPI's have separate php.ini file, where they can 
define path suitable for them (writable).

And in fact i've done that in our distribution. So you consider this 
distribution related issue?
 [2007-11-01 13:32 UTC] dmitry@php.net 
Even one SAPI in shared environment will have the same issue.
If you have several php-cgi processes with different UID, only one of them will own the cache file, and all others won't be able to access it.
 [2007-11-01 14:10 UTC] glen at delfi dot ee 
So perhaps keep user id (getuid()) in the cache filename?
 [2007-11-01 14:14 UTC] dmitry@php.net 
I thought about it.
It may be good for php-5.3.0, but I don't like to make such change in 5.2.*
 [2007-11-01 16:10 UTC] glen at delfi dot ee 
That would be fine (at least not closed as bogus).

Distributions are free to backport changes they like :)
 [2007-11-23 10:06 UTC] dmitry@php.net 
Fixed in CVS HEAD and PHP_5_3.

http://cvs.php.net/viewvc.cgi/php-src/ext/soap/php_sdl.c?r1=1.88.2.12.2.9&r2=1.88.2.12.2.9.2.1&diff_format=u
 [2012-09-18 10:05 UTC] joey dot cai at gmail dot com 
The original diff is no longer available since cvs.php.net is long gone. But according to the git log. This patch introduced a bug that only the creator of the cache file can access it. Users with different UIDs have no permission. I think both #51407 and #61094 point to the same thing.

I saw from the comments that you talked about keeping user id (getuid()) in the cache filename, but somehow that doesn't show up in the code. Can you check that, @dmitry? Thank you
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Apr 25 14:01:31 2024 UTC