Bug 1009103 - (CVE-2013-6501) CVE-2013-6501 php: predictable file name used for cache in world writeable directory
CVE-2013-6501 php: predictable file name used for cache in world writeable di...
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
Unspecified Unspecified
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On:
Blocks: 1012158
  Show dependency treegraph
Reported: 2013-09-17 13:08 EDT by Michael Scherer
Modified: 2015-08-19 04:19 EDT (History)
27 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
It was found that the PHP WSDL extension used a file with a predictable name in a world readable directory as a cache. A local attacker could use this flaw to poison the cache using a specially crafted temporary file.
Story Points: ---
Clone Of:
Last Closed: 2015-04-14 06:07:17 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Michael Scherer 2013-09-17 13:08:04 EDT
On http://git.php.net/?p=php-src.git;a=blob;f=ext/soap/php_sdl.c;h=0ac4c2ed7a9bf87bb454db58ae3d969eef36f244;hb=HEAD#l3224

We see that php wdsl extension is reading predictible filename from a cache directory. The name is based on a configurable directory name, a prefix, and a md5, md5 derived for the file that would be cached ( or rather the url ).

So far, so good. However, default configuration is to use /tmp :

so someone could connect to a shared php server ( not uncommon ), and if some php code is using this feature ( ie, using wsdl ), with cache enabled by default ,it could just pre-create the file in /tmp to have it used instead of the one intended to be used ( ie, a cache injection issue ). After a quick look, there is no check of owner or permission in get_sdl_from_cache.

I am not able to say if WSDL injection is a serious issue or not.

Fedora do have PrivateTmp in systemd file, that mitigate this issue ( provided someone do not use php to make the attack ). RHEL < 7 do not have it however.

So far, upstream was not notified, except our php maintainer for a quick sanity check. I assume this affect all php version since a few years.
Comment 2 Michael Scherer 2013-09-17 14:23:52 EDT
So looking a bit more on WSDL, I see that WDSL also include a description of endpoint of the service ( see :
<definitions .... >
 <service name="service1">
        <port name="port1" binding="tns:b1">
           <http:address location="http://example.com/"/>

So someone injecting a WSDL file could also inject a different endpoint ( ie, a http url ) which would then be a bit more serious, since that mean someone could just redirect a web service to a different server.

Then the software would try to execute remote code on the wrong remote server, which mean :
- stealing argument value
- injecting wrong results
Comment 3 Vincent Danen 2013-09-18 00:09:15 EDT
Michael, can you send an email to security@php.net with the above?  This does sound like a security issue to me, but I can't say how severe it is.  This may or may not be "arbitrary code" (i.e. you can define by the wsdl what code to execute on the remote server), but you could use it to do some kind of "pinging" to a remote server when the wsdl is called.  I'll admit that I don't know much about this so I'm not sure how bad it is.

Comment 5 Michael Scherer 2013-09-18 07:18:24 EDT
Done, i sent the email ( as you likely have seen ) and added rcollet@ since he wanted to comment on it ( and is our php packager )
Comment 11 Kurt Seifried 2015-02-08 17:19:43 EST
This has been made public and PHP re-notified.
Comment 13 Francisco Alonso 2015-03-17 07:30:03 EDT

This issue was discovered by Michael Scherer of Red Hat.

Note You need to log in before you can comment on or make changes to this bug.