Bugtraq mailing list archives

Re: PHP3 safe_mode and popen()

From: jean-luc () PICARD FRANKEN DE (Thomas Köhler)
Date: Wed, 5 Jan 2000 09:50:18 +0100


On Wed, Jan 05, 2000 at 04:27:48AM +0100,
David TILLOY <d.tilloy () NNX COM> wrote:


Kristian Koehntopp [kris () KOEHNTOPP DE] a Ã©crit:

PHP3 (http://www.php.net) is a scripting language used in many
webhosting setups. Often in hosting setups so called "safe_mode"
is enabled, which restricts the user in many ways. For example,
in safe_mode you are supposed to be able to execute only
programs from a safe_mode_exec_dir, if one is defined. Within
that directory there should be only a restricted command set
that is considered safe.


      [.../...]
      
      Right... Your patch seems to work only with php-3.0.12.
      I attach modified version for php-3.0.13.
      
dav.

--- /tmp/php-3.0.13/functions/file.c  Sat Jan  1 05:31:15 2000
+++ functions/file.c  Tue Jan  4 23:35:16 2000
@@ -26,7 +26,7 @@
    | Authors: Rasmus Lerdorf <rasmus () lerdorf on ca>                       |
    +----------------------------------------------------------------------+
  */
-/* $Id: file.c,v 1.229 2000/01/01 04:31:15 sas Exp $ */
+/* $Id: file.c,v 1.230 2000/01/03 21:31:31 kk Exp $ */
 #include "php.h"

 #include <stdio.h>
@@ -51,6 +51,7 @@
 #include "safe_mode.h"
 #include "php3_list.h"
 #include "php3_string.h"
+#include "exec.h"
 #include "file.h"
 #if HAVE_PWD_H
 #if MSVC5
@@ -575,7 +576,7 @@
      pval *arg1, *arg2;
      FILE *fp;
      int id;
-     char *p;
+     char *p, *tmp=NULL;
      char *b, buf[1024];
      TLS_VARS;
      
@@ -601,6 +602,11 @@
                      snprintf(buf,sizeof(buf),"%s/%s",php3_ini.safe_mode_exec_dir,arg1->value.str.val);
              }
              fp = popen(buf,p);


Not removing this line leaves the problem in PHP3. You'd better remove
it:-)

+             
+             tmp = _php3_escapeshellcmd(buf);
+             fp = popen(tmp,p);
+             efree(tmp); /* temporary copy, no longer necessary */
+             
              if (!fp) {
                      php3_error(E_WARNING,"popen(\"%s\",\"%s\") - %s",buf,p,strerror(errno));
                      RETURN_FALSE;


CU,
Thomas

-- 
 Thomas KÃ¶hler Email:   jean-luc () picard franken de   | LCARS - Linux for
     <><        WWW:  http://home.pages.de/~jeanluc/ | Computers on All
                IRC:             jeanluc             | Real Starships
   PGP public key: http://www.mayn.de/users/jean-luc/PGP-Public.asc

Current thread:

PHP3 safe_mode and popen() Kristian Koehntopp (Jan 03)
- FWD: Redhat advisory Alfred Huger (Jan 04)
  - Re: FWD: Redhat advisory (RPM --upgrade/-U vs. --freshen/-F) Peter W (Jan 04)
- Re: PHP3 safe_mode and popen() David TILLOY (Jan 04)
  - Re: PHP3 safe_mode and popen() Thomas Köhler (Jan 05)
  - CuteFTP saved password 'encryption' weakness Nick FitzGerald (Jan 05)
    - Re: CuteFTP saved password 'encryption' weakness Brian Kifiak (Jan 05)
  - Handspring Visor Network HotSync Security Hole Jay C Austad (Jan 05)
    - Re: Handspring Visor Network HotSync Security Hole Jim Frost (Jan 06)
    - Re: Handspring Visor Network HotSync Security Hole Chris Adams (Jan 07)
    - Re: Handspring Visor Network HotSync Security Hole Jason Spence (Jan 06)
  - Re: PHP3 safe_mode and popen() Kristian Koehntopp (Jan 06)
- [rootshell] Security Bulletin #27 Kit Knox (Jan 04)