[suPHP] SECURITY ISSUE: Immediate update advised

Sebastian Marsching sebastian at marsching.com
Sun Mar 30 15:58:22 CEST 2008 

Hi,

suPHP version 0.6.3 has just been released and can be downloaded from 
http://www.suphp.org/Download.html.

It fixes two security vulnerabilities concerning symlinks. Immediate 
update is strongly advised.

The first vulnerability was reported by different persons (thanks to 
everyone): When the requested script was a symbol link and suPHP was 
running in "owner" mode, the owner of the reference file and not the 
owner  of the symbol link was used to determine the target user. suPHP 
checked that the symbol link owner was matching the owner of the 
referenced file, but under a race condition it was possible to make this 
check succeed, by referencing a file which was owned by the symlink 
owner, then changing the link to point to the file of a different user 
and finally changing the link to point back to a file owned by the 
symlink owner.

If suPHP is running in "paranoid" this vulnerability (probably) cannot 
be exploited as the owner of the symlink has to match the target user 
specified in the Apache configuration.

While investigating this issue, if found a second vulnerability which is 
more harmful, as the attack requires less accurate timing and might be 
possible even in "paranoid" mode:

If an attacker creates a symlink that points to the directory of another 
user, suPHP will use privileges of the owner of the script in the target 
directory. If the attacker changes the target of the symlink to a 
directory of his own after suPHP has changed privileges but before PHP 
has read the script file, PHP will read the script from the new location 
and execute the attackers code with the privileges of the target user.

Again, this vulnerability is less severe in "paranoid" mode, as the 
attacker has to have write access to a directory that is configured for 
another target user. However, this could happen, if a user has given 
write permission to the group or others for a directory within the home 
directory (unfortunately the installation guides of some scripts advise 
to do so).

If you are using "owner" mode, both vulnerabilites are critical and an 
immediate update is required.

If you are using "paranoid" mode, the first vulnerability is not 
exploitable and the second one is less critical, however you should 
update as soon as possible, too.

These vulnerabilities are good examples why "paranoid" mode should be 
preferred over "owner" mode if possible.

Sorry, for the inconvenience caused. I hope that with this update, all 
flaws are fixed. Of course some kind of code review to check that the 
issues are really fixed now, would be appreciated.

Regards
Sebastian

More information about the suPHP mailing list