CVE-2022-45307 in PHP Package
Summary
by MITRE • 11/29/2022
Insecure permissions in Chocolatey PHP package v8.1.12 and below grants all users in the Authenticated Users group write privileges for the subfolder C:\tools\php81 and all files located in that folder.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 04/25/2025
This vulnerability exists within the Chocolatey PHP package distribution mechanism where insecure file permissions are configured during installation. The affected version v8.1.12 and earlier establishes folder permissions that allow all members of the Authenticated Users group to write to the C:ools\php81 directory and its contents. This represents a critical privilege escalation risk where any authenticated user can modify core PHP binaries and configuration files, potentially leading to arbitrary code execution or complete system compromise. The vulnerability stems from improper access control implementation during package installation, violating fundamental security principles of least privilege and mandatory access controls.
The technical flaw manifests as a permissions misconfiguration that grants write access to a system-critical directory through the Authenticated Users group. This group includes all authenticated users on the system, effectively removing the security boundary that should protect system binaries from unauthorized modification. The vulnerability directly maps to CWE-276, which describes improper file permissions, and represents a classic case of inadequate access control enforcement. The flaw is particularly dangerous because it affects the PHP runtime environment, which is often used for web application execution and can be leveraged for privilege escalation attacks.
The operational impact of this vulnerability extends beyond simple file modification capabilities. An attacker with basic authentication credentials can escalate privileges by replacing PHP binaries with malicious versions or modifying configuration files to redirect execution paths. This creates a persistent backdoor opportunity within the system and can be exploited to establish long-term access. The vulnerability affects systems where PHP is installed via Chocolatey package manager, potentially impacting web servers, development environments, and automated deployment systems that rely on this installation method. The attack surface includes any system where authenticated users have access to the affected directory structure, making it particularly dangerous in multi-user environments.
Mitigation strategies should focus on immediate permission correction and long-term security hardening. Administrators must manually correct the folder permissions to restrict write access to only authorized users or groups, typically administrators or specific service accounts. The recommended approach involves removing write permissions for the Authenticated Users group and implementing proper discretionary access control lists. Additionally, organizations should implement regular permission auditing procedures and ensure that package installation processes enforce secure default permissions. This vulnerability aligns with ATT&CK technique T1068 which covers local privilege escalation, and T1548 which addresses abuse of group policy. Organizations should also consider implementing application whitelisting and monitoring for unauthorized file modifications in system directories. The proper remediation includes uninstalling the vulnerable package and reinstalling with corrected permissions, or applying the vendor-provided patch that addresses the insecure permission model.