[dev] imp-2.2.4 tmpfile problems ?

Jarno Huuskonen Jarno.Huuskonen@uku.fi
Tue, 22 May 2001 00:56:09 +0300

Previous message: [dev] imp-2.2.4 tmpfile problems ?
Next message: [dev] imp-2.2.4 tmpfile problems ?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, May 21, Brent J. Nordquist wrote:
> On Mon, 21 May 2001, Jarno Huuskonen <Jarno.Huuskonen@uku.fi> wrote:
> 
> > I tested this with both php-3.0.18 / php-4.0.5 with upload_tmp_dir set
> > to /tmp (safe mode off)
>            ^^^^^^^^^^^^^
> What's the point?  The ownership checks in PHP 4.0.5 copy() aren't
> effective unless you run in safe mode.
(I'm not sure anymore (it's 1am ;-). I guess it was that it works if safe
mode is off ;)

Ok this time I used safe mode On and I still think the copy call is a
problem. (In all of my tests /tmp/Gotcha didn't exist before testing the
problem).
Here's strace of apache with php4.0.5 safe mode on:

[[pid 14301] open("/tmp/phpXPgTMl", 
O_RDWR|O_CREAT|O_EXCL|O_LARGEFILE, 0600) = 4 (php creates temporary upload
file)
...
[pid 14301] stat("/tmp/phpXPgTMl", {st_mode=S_IFREG|0600, st_siz\
e=55315, ...}) = 0
[pid 14301] stat("/tmp", {st_mode=S_IFDIR|S_ISVTX|0777, st_size=\
1024, ...}) = 0
[pid 14301] stat("/tmp/phpXPgTMl.att", 0x7ffead88) = -1 ENOENT (\
No such file or directory)
^^^^
This is the php safe mode call that stats the destination file (which is
a symlink --> because of stat (instead of lstat) stats /tmp/Gotcha (which
doesn't exist)

[pid 14301] open("/tmp/phpXPgTMl", O_RDONLY) = 6
[pid 14301] open("/tmp/phpXPgTMl.att",
O_WRONLY|O_CREAT|O_TRUNC, 0777) = 7 (Here the destination file is created,
and because of the symlink we actually create /tmp/Gotcha

(and because the open("/tmp/phpXPgTMl.att ...) doesn't use O_EXCL there's a
temp race (if somebody can create /tmp/phpXPgTMl.att after the stat but before
the open ...)

> > - imp/lib/mimetypes.lib uses predictable filenames like:
> >   /tmp/imp.' . date('Y-M-D_H:i:s') . '__' . md5($contents)
> >   (if the $contents comes from the users attachment then the user can control
> >    what the filename is going to be)
> 
> Seems like this is essentially the same scenario as the copy() issue we're
> discussing?

Yes, basically the same problem, I think there was a patch for this on
the dev list (all tempfiles are created with tempnam).

> However, the safe_mode provision should cover this... assuming it works
> properly.  (And if it doesn't, it's arguably a PHP problem.)  But for
> 2.2.x we're interested in knowing if the "predictable destination
> filename" results in an exploitable vulnerability.

With my testing I think that it is possible to create (new files) with
webserver permissions even with php safe_mode on. Safe mode might/should?
catch file overwrites.

Could you or somebody else use the perl script (or something similar) and see
if you get the same result ? (the perl script might work better if you
replace sleep(1) with system("usleep 100"); (or something like that)).

In any case I think tempfile problems can be solved by using upload_tmp_dir
and tempnam (with php4) in imp.

-Jarno

-- 
Jarno Huuskonen - System Administrator   |  Jarno.Huuskonen@uku.fi
University of Kuopio - Computer Center   |  Work:   +358 17 162822
PO BOX 1627, 70211 Kuopio, Finland       |  Mobile: +358 40 5388169

Previous message: [dev] imp-2.2.4 tmpfile problems ?
Next message: [dev] imp-2.2.4 tmpfile problems ?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]