CVE-2015-3211

First published: Fri Jun 05 2015(Updated: )

It was reported that php-fpm package is vulnerable to symlink attack: # ls -lad /var/log/php-fpm drwxrwx--- 2 apache root 4096 May 28 18:53 /var/log/php-fpm <a href="https://git.centos.org/blob/rpms!php/4b401fd4915cda3a1a336902afad4e5321859c32/SPECS!php.spec#L1409">https://git.centos.org/blob/rpms!php/4b401fd4915cda3a1a336902afad4e5321859c32/SPECS!php.spec#L1409</a> %attr(770,apache,root) %dir %{_localstatedir}/log/php-fpm After installing php-fpm package, any software running under apache user can create symlink /var/log/php-fpm/error.log pointing to any file. After starting php-fpm service - file pointed by symlink will be appended by php-fpm log output. If a file did not exist before - it will be created. This issue only exist for a short time - after php-fpm package install and before php-fpm process is started for the first time. Exiting working configurations are not affected by this issue. Steps to reproduce: - make sure you don't have php-fpm leftovers: # rm -rf /var/log/php-fpm - install php-fpm: # dnf install php-fpm - as an 'apache' user create an evil symlink: # su -s /bin/bash - apache $ ln -s /root/.bashrc /var/log/php-fpm/error.log - start php-fpm process: # systemctl start php-fpm - look at the contents of /root/.bashrc file (php-fpm error log output will be appended there) # cat /root/.bashrc

Credit: secalert@redhat.com

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• collector/nvd-index
• agent/type
• agent/softwarecombine
• agent/first-publish-date
• agent/references
• collector/mitre-cve
• source/MITRE
• agent/last-modified-date
• agent/weakness
• agent/author
• agent/severity
• collector/redhat-bugzilla
• source/Red Hat
• alias/CVE-2015-3211
• agent/event
• agent/description
• agent/tags
• agent/trending
• vendor/php-fpm
• canonical/php-fpm php-fpm