界: Environment
本节包括的所有内容均与源代码无关,但对所创建产品的安全性仍然至关重要。因为本节涉及的问题与源代码没有直接关系,所以我们将它与其他章节分开。
Race Condition: PHP Design Flaw
Abstract
PHP 配置选项
open_basedir 存在一个设计缺陷,使该选项容易发生文件访问 race condition,从而可能使攻击者绕过 file system 上的 access control 检查。Explanation
如果启用
这种攻击针对的漏洞大小取决于执行访问检查与打开文件这两个时刻之间的时间间隙。即使连续执行调用,现今的操作系统也无法确保在进程让出 CPU 之前将执行的代码数量。攻击者掌握了多种扩大该时间间隙的技术,以便更加容易地发起攻击,但即使是一段很短的间隙,该攻击企图也可以不断地重复,直到成功为止。
open_basedir 配置选项,该选项会试图阻止 PHP 程序对 php.ini 文件中所指定的目录结构以外的文件进行操作。尽管 open_basedir 选项从总体上有利于保证安全性,但它的实施效果却受到 race condition 的不利影响,这种状况可能会允许攻击者在某些情况下绕过该选项所定义的限制条件 [2]。在 PHP 执行访问权限检查与打开文件的两个时刻之间,存在一种 TOCTOU(检查时间,使用时间)race condition。与其他语言中 file system 的 race condition 一样,这一漏洞会导致攻击者能够将指向一个通过 access control 检查的文件的 symlink 替换为另一个本不能通过测试的文件,从而获得对受保护文件的访问权限。这种攻击针对的漏洞大小取决于执行访问检查与打开文件这两个时刻之间的时间间隙。即使连续执行调用,现今的操作系统也无法确保在进程让出 CPU 之前将执行的代码数量。攻击者掌握了多种扩大该时间间隙的技术,以便更加容易地发起攻击,但即使是一段很短的间隙,该攻击企图也可以不断地重复,直到成功为止。
References
[1] M. Achour et al. PHP Manual
[2] Stefan Esser PHP open_basedir Race Condition Vulnerability
[3] Artur Maj Securing PHP
[4] Emmanuel Dreyfus Securing Systems with Chroot
[5] Standards Mapping - Common Weakness Enumeration CWE ID 362, CWE ID 367
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [22] CWE ID 362
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [21] CWE ID 362
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000366, CCI-003178
[9] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-6 Configuration Settings (P1), SA-11 Developer Security Testing and Evaluation (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-6 Configuration Settings, SA-11 Developer Testing and Evaluation
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.11.2 Business Logic Architectural Requirements (L2 L3), 1.11.3 Business Logic Architectural Requirements (L3), 11.1.6 Business Logic Security Requirements (L2 L3)
[13] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[14] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[15] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 7.3.2
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 7.3.2
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective B.3.3 - Terminal Software Attack Mitigation
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective B.3.3 - Terminal Software Attack Mitigation
[20] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 362
[21] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 362
[22] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3630.1 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3630.1 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3630.1 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3630.1 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3630.1 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3630.1 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3630.1 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001995 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001995 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001995 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001995 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001995 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001995 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001995 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001995 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001995 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001995 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001995 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001995 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001995 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001995 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001995 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001995 CAT II
desc.structural.php.race_condition_php_design_flaw