Kingdom: Environment
This section includes everything that is outside of the source code but is still critical to the security of the product that is being created. Because the issues covered by this kingdom are not directly related to source code, we separated it from the rest of the kingdoms.
Race Condition: PHP Design Flaw
Abstract
The PHP
open_basedir configuration option contains a design flaw that leaves it vulnerable to file access race conditions, which can allow an attacker to circumvent access control checks on the file system.Explanation
When present, the
The window of vulnerability for such an attack is the period of time between when the access check is performed and when the file is opened. Even though the calls are performed in close succession, modern operating systems offer no guarantee about the amount of code that will be executed before the process yields the CPU. Attackers have a variety of techniques for expanding the length of the window of opportunity in order to make exploits easier, but even with a small window, an exploit attempt can simply be repeated over and over until it is successful.
open_basedir configuration option attempts to prevent PHP programs from operating on files outside of the directory trees specified in php.ini. Although the open_basedir option is an overall boon to security, the implementation suffers from a race condition that can permit attackers to bypass its restrictions in some circumstances [2]. A time-of-check, time-of-use (TOCTOU) race condition exists between the time PHP performs the access permission check and when the file is opened. As with file system race conditions in other languages, this vulnerability can allow attackers to replace a symlink to a file that passes the access control check with another for which the test would otherwise fail, thereby gaining access to the protected file.The window of vulnerability for such an attack is the period of time between when the access check is performed and when the file is opened. Even though the calls are performed in close succession, modern operating systems offer no guarantee about the amount of code that will be executed before the process yields the CPU. Attackers have a variety of techniques for expanding the length of the window of opportunity in order to make exploits easier, but even with a small window, an exploit attempt can simply be repeated over and over until it is successful.
References
[1] M. Achour et al. PHP Manual
[2] Stefan Esser PHP open_basedir Race Condition Vulnerability
[3] Emmanuel Dreyfus Securing Systems with Chroot
[4] Standards Mapping - Common Weakness Enumeration CWE ID 362, CWE ID 367
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [22] CWE ID 362
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [21] CWE ID 362
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000366, CCI-003178
[8] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-6 Configuration Settings (P1), SA-11 Developer Security Testing and Evaluation (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-6 Configuration Settings, SA-11 Developer Testing and Evaluation
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.11.2 Business Logic Architectural Requirements (L2 L3), 1.11.3 Business Logic Architectural Requirements (L3), 11.1.6 Business Logic Security Requirements (L2 L3)
[12] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[13] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[14] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 7.3.2
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 7.3.2
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective B.3.3 - Terminal Software Attack Mitigation
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective B.3.3 - Terminal Software Attack Mitigation
[19] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 362
[20] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 362
[21] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3630.1 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3630.1 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3630.1 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3630.1 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3630.1 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3630.1 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3630.1 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001995 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001995 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001995 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001995 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001995 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001995 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001995 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001995 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001995 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001995 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001995 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001995 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001995 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001995 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001995 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001995 CAT II
desc.structural.php.race_condition_php_design_flaw