Excessive privileges - Temporary Files
Need
Enforce proper privileges and access restrictions for temporary files
Context
• Usage of PHP 5.0+ for server-side scripting and web development
• Usage of sys_get_temp_dir for retrieving the system's temporary directory path
Description
1. Non compliant code
$tempFile = tempnam(sys_get_temp_dir(), 'temp');
$file = fopen($tempFile, 'w');
fwrite($file, 'Sensitive data');
fclose($file);In the above code, we are creating a temporary file in the system's temporary directory with the `tempnam()` function. This function creates a file with a unique name, which is prefixed by the string 'temp'. Next, we open the file in write mode (`'w'`) using the `fopen()` function and write some sensitive data into it with the `fwrite()` function. Finally, we close the file using the `fclose()` function. The vulnerability here is that the application is creating a temporary file without properly restricting its privileges or access modes. This means that any user or process that has access to the system's temporary directory can read, modify, or delete this file. If an attacker gains access to this directory, they can leverage this vulnerability to read the sensitive data written in the file, modify the data, or even delete the file. This could lead to information disclosure, data tampering, or denial of service. Furthermore, since the filename is predictable (it's always prefixed by 'temp'), an attacker could potentially guess the filename and target this file specifically. To fix this vulnerability, the application should restrict the privileges of the temporary file such that only the process that created the file can access it.
2. Steps
• Use a secure method to generate temporary file names to prevent prediction of the file name.
• Restrict the permissions of the temporary file to only the necessary users or processes.
• Ensure that the temporary file is securely deleted after its use.
• Consider encrypting the contents of the temporary file if it contains sensitive data.
3. Secure code example
// Generate a secure random file name
$tempFile = tempnam(sys_get_temp_dir(), bin2hex(random_bytes(10)));
// Open the file with write only permissions
$file = fopen($tempFile, 'w');
// Restrict the permissions of the file to the current user only
...The above code fixes the vulnerability by implementing the following measures: 1. **Secure Random File Name**: The `bin2hex(random_bytes(10))` function is used to generate a secure random file name. This makes it difficult for an attacker to predict the file name. 2. **Restricted Permissions**: The `chmod($tempFile, 0600)` function is used to restrict the permissions of the file to the current user only. This prevents other users or processes from accessing the file. 3. **Encryption**: The `openssl_encrypt` function is used to encrypt the data before writing it to the file. This ensures that even if an attacker manages to access the file, they will not be able to read the sensitive data. 4. **Secure Deletion**: The `register_shutdown_function('unlink', $tempFile)` function is used to ensure that the file is securely deleted after use. This prevents an attacker from accessing the file after it has been used.
References
• 160. Excessive privileges - Temporary Files