[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Raq3 && PHP4.0.4pl1 => BIG SECURITY HOLE

Subject: Re: [cobalt-users] Raq3 && PHP4.0.4pl1 => BIG SECURITY HOLE
From: Ted Behling <TBehling@xxxxxxxxxxxxx>
Date: Fri Sep 14 11:42:05 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

At 06:58 AM 9/14/01, Glen Scott wrote:

Some of our customers started complaining lately about the fact that onces
they uploaded files through PHP and used the "move_uploaded_file" function
of php the rights of the uploaded file would look like this.

-rw-------   1 httpd    root           66 Sep 13 15:53
/home/sites/home/web/tmp/test.file

Which is off course a huge security hole !!!
Why is this a security hole? As far as I can see, the file can only beread and written to by the user 'httpd'. Isn't the group in this caseirrelevant?

This is a problem because when PHP is used as an Apache module, it runs inthe security context of the Web server. Therefore, uploaded files areowned by the 'httpd' user. Since all users on the server run their PHPscripts in the same security context, they all have access to each other'sfiles. A different user could easily write a PHP script that recursesthrough your disk and deletes every file it comes across to which it hasaccess (i.e., owned by 'httpd'). BTW, this also applies to mod_perl.

This has been a known issue since day one. To get around it, you have acouple of options. You can run your uploading PHP scripts using the CGIversion of PHP, under cgiwrap. That'll run the script in the context ofthe PHP CGI owner. Another, better option is to create a small setuidscript, owned by the uploading user, to copy the uploaded file to a fileowned by that user. The script would execute this external program, thendelete the original file.


--------------------------------------------------------------------------
Ted Behling, Web Application Developer - Monarch Information Systems, Inc.

43 Folly Field Road, Unit 4, Hilton Head Island, SC 29928-5434
E-mail: mailto:TBehling@xxxxxxxxxxxxx
Phone/Fax: 1-800-842-7894    Local or Outside the USA: 1-843-842-7894
Cell Phone (urgent issues): 843-816-7895
Cell Phone E-mail: mailto:TedPhone@xxxxxxxxxxxxx (116 letter limit)
Web site: http://www.MonarchIS.net
--------------------------------------------------------------------------

References:
- [cobalt-users] Raq3 && PHP4.0.4pl1 => BIG SECURITY HOLE
  - From: Marco Baurdoux
- Re: [cobalt-users] Raq3 && PHP4.0.4pl1 => BIG SECURITY HOLE
  - From: Glen Scott

Prev by Date: [cobalt-users] How many A address records
Next by Date: [cobalt-users] Re:Listserv Software for Raq3
Previous by thread: Re: [cobalt-users] Raq3 && PHP4.0.4pl1 => BIG SECURITY HOLE
Next by thread: Re: [cobalt-users] OT: List Cop in residence

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index