Bug 195538 - CVE-2006-2660 tempnam() unique filename bypass
CVE-2006-2660 tempnam() unique filename bypass
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: php (Show other bugs)
All Linux
medium Severity low
: ---
: ---
Assigned To: Joe Orton
David Lawrence
: Security
Depends On:
  Show dependency treegraph
Reported: 2006-06-15 12:43 EDT by Josh Bressers
Modified: 2007-11-30 17:07 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-06-23 06:23:22 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Josh Bressers 2006-06-15 12:43:24 EDT
tempnam() unique filename bypass

Buffer consumption vulnerability in the tempnam function in PHP 5.1.4
and 4.x before 4.4.3 allows local users to bypass restrictions and
create PHP files with fixed names in other directories via a pathname
argument longer than MAXPATHLEN, which prevents a unique string from
being appended to the filename.

In order for this issue to be exploited, a user application would have
to use tempnam() in manner which would allow an attacker to control
the filename.

This issue also affects RHEL3
This issue also affects RHEL2.1
Comment 1 Mark J. Cox (Product Security) 2006-06-22 04:29:24 EDT
splitting our RHEL2.1 into it's own tracking bug
Comment 2 Joe Orton 2006-06-23 06:23:22 EDT
The "attack" described here to pass a long path to the
php_do_open_temporary_file function, which will force the snprintf() call to
truncate the path printed to the fixed length buffer (of size MAXPATHLEN).  The
'XXXXXX' characters would then be omitted from the path passed to mkstemp.

The aim being that the mkstemp call would then create a file with an extension
under the control of the "attacker" and hence possibly an executable PHP script,
rather than with the unique suffix.

But the glibc mkstemp() implementation will fail if the passed-in path does not
include the trailing "six Xs"; in that case php_open_temporary_* will fall back
on using the sytem-wide temp dir rather than the user-supplied one.

In any case, the "open_basedir" feature does not implement a reliable security
barrier between script and environment, so script authors must be trusted with
privileges of the "apache" user anyway.

Note You need to log in before you can comment on or make changes to this bug.