CVE-2015-8994 in PHP
Summary
by MITRE
An issue was discovered in PHP 5.x and 7.x, when the configuration uses apache2handler/mod_php or php-fpm with OpCache enabled. With 5.x after 5.6.28 or 7.x after 7.0.13, the issue is resolved in a non-default configuration with the opcache.validate_permission=1 setting. The vulnerability details are as follows. In PHP SAPIs where PHP interpreters share a common parent process, Zend OpCache creates a shared memory object owned by the common parent during initialization. Child PHP processes inherit the SHM descriptor, using it to cache and retrieve compiled script bytecode ("opcode" in PHP jargon). Cache keys vary depending on configuration, but filename is a central key component, and compiled opcode can generally be run if a script's filename is known or can be guessed. Many common shared-hosting configurations change EUID in child processes to enforce privilege separation among hosted users (for example using mod_ruid2 for the Apache HTTP Server, or php-fpm user settings). In these scenarios, the default Zend OpCache behavior defeats script file permissions by sharing a single SHM cache among all child PHP processes. PHP scripts often contain sensitive information: Think of CMS configurations where reading or running another user's script usually means gaining privileges to the CMS database.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 09/03/2020
The vulnerability described in CVE-2015-8994 represents a critical privilege escalation issue affecting PHP installations running under apache2handler/mod_php or php-fpm with OpCache enabled. This flaw specifically targets shared hosting environments where multiple user accounts operate within the same parent process, creating a fundamental security gap in how PHP's Zend OpCache manages shared memory objects. The vulnerability exists because the OpCache component creates a shared memory segment during initialization that is inherited by all child processes, regardless of their individual user contexts. This architectural design flaw allows processes running under different user permissions to access cached bytecode from other users, effectively bypassing the operating system's permission model that should normally prevent such cross-user access to sensitive files.
The technical implementation of this vulnerability stems from how Zend OpCache handles memory management in multi-process environments. When PHP interpreters share a common parent process, the OpCache creates a shared memory object that serves as a cache for compiled script bytecode. The cache keys are typically based on file paths and other identifying information, but the critical weakness lies in the fact that this shared memory segment is accessible to all child processes regardless of their effective user IDs. This behavior directly violates the principle of least privilege and creates an attack surface where malicious users can potentially access or execute code from other users' scripts. The vulnerability is particularly severe in environments using mod_ruid2 or php-fpm configurations where EUID changes are implemented to enforce user separation, as these mechanisms become ineffective against the shared cache mechanism.
The operational impact of this vulnerability extends far beyond simple information disclosure, as it enables sophisticated privilege escalation attacks that can compromise entire hosting environments. In shared hosting scenarios, this vulnerability allows attackers to access sensitive configuration files, database credentials, and other confidential information stored in PHP scripts belonging to other users. The attack surface becomes particularly dangerous when considering that many content management systems store database connection details, API keys, and other sensitive data within their configuration files. Attackers can exploit this vulnerability to gain unauthorized access to other users' databases, potentially leading to complete compromise of multiple websites hosted on the same server. This represents a significant threat to cloud hosting providers and shared hosting environments where multiple customers' data resides on the same infrastructure.
The vulnerability is mitigated through a specific configuration setting that requires administrators to enable opcache.validate_permission=1 in their php.ini files, which is not enabled by default. This setting forces OpCache to validate file permissions for each cached script, preventing cross-user access to cached bytecode. However, the fact that this protection requires explicit configuration means that many installations remain vulnerable, particularly in shared hosting environments where administrators may not be aware of this specific security requirement. The vulnerability aligns with CWE-284 (Improper Access Control) and CWE-285 (Improper Authorization) categories, as it represents a failure in proper access control mechanisms within the PHP runtime environment. From an ATT&CK framework perspective, this vulnerability maps to T1078 (Valid Accounts) and T1548.001 (Abuse Elevation Control Mechanisms) as it allows attackers to leverage legitimate user accounts to access resources they should not be authorized to access, effectively bypassing privilege separation mechanisms that are fundamental to secure system design. Organizations should implement comprehensive monitoring for OpCache-related configurations and ensure that all PHP installations in shared hosting environments have proper permission validation enabled to prevent exploitation of this vulnerability.