DerScanner
Home / Vulnerability Database / PHP : Race condition of type TOCTOU
PHP

PHP : Race condition of type TOCTOU

Classification

OWASP Top 10 2013
A7-Missing Function Level Access Control
OWASP Top 10 2017
A9-Using Components with Known Vulnerabilities
OWASP Top 10 2021
A6-Vulnerable and Outdated Components
OWASP ASVS
Business Logic
PCI DSS 4.0
6.2.4
HIPAA
§164.312 (a)(1)
CWE
CWE-1033

Overview

Implementation of the open_basedir option in PHP is incorrect and leads to race condition. This can allow an attacker to bypass the checks and gain access to protected files.

Enabled open_basedir option tries to limit the list of files that can be handled by PHP programs specified in php.ini directories. If the working directory is specified using ., the directory can be modified by an attacker using chdir().

The implementation of the open_basedir option is incorrect and leads to a race condition of type TOCTOU (time-of-check, time-of-use). A race condition occurs because of the uncertainty of the order of the operations of access rights check and opening the file. An attacker can exploit this and replace the symbolic link, thereby obtaining an access to a protected file.

The window of opportunity for an attacker is limited to the time between access rights check and opening the file. Modern operating systems do not provide guarantees as to how much code is executed before a certain process will have access to the processor. There are techniques that extend this range. In any case, the attack can be repeated until it succeeds.

References

  1. OWASP Top 10 2017-A9-Using Components with Known Vulnerabilities
  2. CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition
  3. CWE-1033
MEDIUM

DerScanner Severity Score

Do you want to fix PHP : Race condition of type TOCTOU in your application?

See also

PHP

PHP : Null salt

PHP

PHP : Empty password

PHP

PHP : Empty salt