Add check for CVE-2013-1635 (only for 5.3.22 and 5.4.x before 5.4.13)
enygma opened this issue · 5 comments
ext/soap/soap.c in PHP before 5.3.22 and 5.4.x before 5.4.13 does not validate the relationship between the soap.wsdl_cache_dir directive and the open_basedir directive, which allows remote attackers to bypass intended access restrictions by triggering the creation of cached SOAP WSDL files in an arbitrary directory.
validate that if open_basedir is in effect that the soap.wsdl_cache_dir is inside it
Before I submit a pull request for this a couple of questions:
- The naming scheme for rules dealing with CVEs. Would you prefer a class name that conforms to a particular naming scheme (e.g.: Psecio\Iniscan\Rule\Cve\2013\1635) or something a bit more descriptive (e.g.: Psecio\Iniscan\Rule\CheckSoapWsdlCacheDir)?
- I'd like to extend Psecio\Iniscan\Rule to include a get/set version so the ini tool can be used to scan future problems with a php.ini before an upgrade/downgrade happens (also makes testing for version specific rules easier). Are you happy with that?
- I think I'd like to stick with the descriptive name and just provide a link to the CVE in the header docs of the class. I'd rather people know what it's checking than what specific CVE it relates to.
- Yep, that's good by me - go for it.
Found an interesting side-effect. Setting open_basedir to a folder that does not contain your CLI php.ini prevents PHP from being able to read the php.ini file which prevent the iniscan from working (obviously this is moot when scanning your apache/httpd/etc php.ini file).
Huh, good point...chicken and egg sort of thing. I guess that's one limitation of using PHP to run a PHP check heh...
Closing this issue as this check was added.