We see that php wdsl extension is reading predictible filename from a cache directory. The name is based on a configurable directory name, a prefix, and a md5, md5 derived for the file that would be cached ( or rather the url ).
So far, so good. However, default configuration is to use /tmp :
so someone could connect to a shared php server ( not uncommon ), and if some php code is using this feature ( ie, using wsdl ), with cache enabled by default ,it could just pre-create the file in /tmp to have it used instead of the one intended to be used ( ie, a cache injection issue ). After a quick look, there is no check of owner or permission in get_sdl_from_cache.
I am not able to say if WSDL injection is a serious issue or not.
Fedora do have PrivateTmp in systemd file, that mitigate this issue ( provided someone do not use php to make the attack ). RHEL < 7 do not have it however.
So far, upstream was not notified, except our php maintainer for a quick sanity check. I assume this affect all php version since a few years.
So looking a bit more on WSDL, I see that WDSL also include a description of endpoint of the service ( see :
<definitions .... >
<port name="port1" binding="tns:b1">
So someone injecting a WSDL file could also inject a different endpoint ( ie, a http url ) which would then be a bit more serious, since that mean someone could just redirect a web service to a different server.
Then the software would try to execute remote code on the wrong remote server, which mean :
- stealing argument value
- injecting wrong results
Michael, can you send an email to firstname.lastname@example.org with the above? This does sound like a security issue to me, but I can't say how severe it is. This may or may not be "arbitrary code" (i.e. you can define by the wsdl what code to execute on the remote server), but you could use it to do some kind of "pinging" to a remote server when the wsdl is called. I'll admit that I don't know much about this so I'm not sure how bad it is.
Done, i sent the email ( as you likely have seen ) and added rcollet@ since he wanted to comment on it ( and is our php packager )
This has been made public and PHP re-notified.
This issue was discovered by Michael Scherer of Red Hat.