Bug 195538
| Summary: | CVE-2006-2660 tempnam() unique filename bypass | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 4 | Reporter: | Josh Bressers <bressers> |
| Component: | php | Assignee: | Joe Orton <jorton> |
| Status: | CLOSED NOTABUG | QA Contact: | David Lawrence <dkl> |
| Severity: | low | Docs Contact: | |
| Priority: | medium | ||
| Version: | 4.0 | Keywords: | Security |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | impact=low,source=cve,public=20060711,reported=20060613 | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2006-06-23 10:23:22 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Josh Bressers
2006-06-15 16:43:24 UTC
splitting our RHEL2.1 into it's own tracking bug The "attack" described here to pass a long path to the php_do_open_temporary_file function, which will force the snprintf() call to truncate the path printed to the fixed length buffer (of size MAXPATHLEN). The 'XXXXXX' characters would then be omitted from the path passed to mkstemp. The aim being that the mkstemp call would then create a file with an extension under the control of the "attacker" and hence possibly an executable PHP script, rather than with the unique suffix. But the glibc mkstemp() implementation will fail if the passed-in path does not include the trailing "six Xs"; in that case php_open_temporary_* will fall back on using the sytem-wide temp dir rather than the user-supplied one. In any case, the "open_basedir" feature does not implement a reliable security barrier between script and environment, so script authors must be trusted with privileges of the "apache" user anyway. |