Date: Tue, 28 Feb 2017 05:08:06 -0600 From: php-dev@...dogsoftware.net To: oss-security@...ts.openwall.com Subject: Re: CVE Request: PHP with Zend OPCache code permission/sensitive data protection vulnerability On Mon, Feb 27, 2017 at 04:52:58PM -0600, php-dev@...dogsoftware.net wrote: > > To briefly summarize, in PHP SAPI's where PHP interpreters share a > common parent process (eg. Apache mod_php and PHP-FPM), Zend OpCache > creates a shared memory object owned by the common parent during > initialization. Child PHP processes inherit the SHM descriptor, using it > to cache and retrieve compiled script bytecode ("opcode" in PHP jargon). > Cache keys vary depending on configuration, but filename is a central > key component, and compiled opcode can generally be run if a script's > filename is known or can be guessed. > > Many common shared hosting configurations change EUID in child processes > to enforce privilege separation among hosted users. In these scenarios, > default Zend OpCache behavior defeats script file permissions by sharing > a single SHM cache among all child PHP processes. > > PHP scripts often contain sensitive information: Think of CMS > configurations where reading or running another user's script usually > means gaining privileges to the CMS database. > > > AFFECTED VERSIONS: > PHP7 < 7.0.14 and PHP5 < 5.6.29. Later versions are still vulnerable by > default unless opcache.validate_permission=1 is enabled. > > AFFECTED COMPONENT: > Zend OpCache > > VULNERABILITY TYPE: > Code permission/sensitive information disclosure > > IMPACT: > Cross-user compromise of PHP web applications in shared hosting > environments. > > REFERENCES: > http://marc.info/?l=php-internals&m=147921016724565&w=2 > https://bugs.php.net/bug.php?id=69090 > http://seclists.org/oss-sec/2016/q4/343 This has been assigned CVE-2015-8994 via cveform.mitre.org. -- php-dev at coydogsoftware dot net
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ