[php-maint] Bug#618489: Bug#618489: php5-common: priviledge escalation in /etc/cron.d/php5
seanius at debian.org
Wed Mar 16 08:59:55 UTC 2011
On Tue, Mar 15, 2011 at 04:17:50PM +0000, Stephane Chazelas wrote:
> 09,39 * * * * root [ -x /usr/lib/php5/maxlifetime ] && [ -d /var/lib/php5 ] && find /var/lib/php5/ -type f -cmin +$(/usr/lib/php5/maxlifetime) -print0 | xargs -n 200 -r -0 rm
> when /var/lib/php5/foo/passwd has exceeded its maxlifetime but
> not the ones in /var/lib/php5/bar, assuming foo appears before
> bar, find will output /var/lib/php5/foo/passwd and then spend a
> few minutes in /var/lib/php5/bar during which the attacker can
> replace his /var/lib/php5/foo directory with a symlink to /etc.
> Then xargs will remove /etc/passwd.
Wouldn't xargs just remove the symlink? I could see this being a
problem if xargs was putting something *into* the files, but don't
see the particular issue here.
More information about the pkg-php-maint