A vulnerability in both PHP 5.2.11 and 5.3.0 was announced on September 30, 2009 via Security Reason. Grzegorz Stachowiak discovered an open_basedir bypass in the posix_mkfifo() function allowing a denial of service if the Apache user, or local user has write access to create a .htaccess socket within a DocumentRoot.
The Vulnerability
The vulnerability exists due to the fact that the posix_mkfifo() function in ./ext/posix/posix.c only checks for safe_mode restrictions and not open_basedir restrictions. Take the following example:
UserX and UserY both have virtual hosts on a shared server with open_basedir enabled restricting files to only be served out of ‘/var/www:/tmp’. Open Basedir dictates that scripts can only run out of, and access files within the directories specified via the open_basedir setting.
With the vulnerability in posix_mkfifo(), UserX can craft a script that generates a fifo socket file named ‘.htaccess’ in UserY’s directory (if writable by Apache or UserX) such as:
posix_mkfifo('/home/UserY/www/.htaccess', 0777);
This will successfully create the file ‘/home/UserY/www/.htaccess’. The next time that a file is requested from /home/UserY/www Apache attempts to read the .htaccess file and simply hangs because the fifo socket file can not be read properly by Apache.
The Fix
The PHP developers have patched this bug in upstream CVS, which has been backported by the IUS CoreDev team and applied to our php52 and php53 packages.
Installing IUS Patched RPMs for RHEL/CentOS
Packages are available for RHEL/CentOS 4 (php52) and RHEL/CentOS 5 (php52, php53). For installation/upgrade instructions see the Getting Started page and/or check out the Wiki for more information.
Other IUS Package Updates
In addition to these package updates we have also released a number of other updates to IUS Stable. Please see the full announcements:
Thanks!
—
BJ Dierkes
Linux Systems Engineer IV / [RH]acker
Infrastructure Services [OS & Applications]
Rackspace Hosting