Bugtraq mailing list archives
Re: PHP3 safe_mode and popen()
From: kris () KOEHNTOPP DE (Kristian Koehntopp)
Date: Thu, 6 Jan 2000 09:31:44 +0100
In netuse.lists.bugtraq you write:
Right... Your patch seems to work only with php-3.0.12.
I attach modified version for php-3.0.13.
Actually, my patch is against the current CVS of PHP and the diff I posted was being generated directly from the CVS. Get yourself a copy of current PHP directly from the CVS and all is well.
@@ -601,6 +602,11 @@
snprintf(buf,sizeof(buf),"%s/%s",php3_ini.safe_mode_exec_dir,arg1->value.str.val);
}
fp = popen(buf,p);
+
+ tmp = _php3_escapeshellcmd(buf);
+ fp = popen(tmp,p);
+ efree(tmp); /* temporary copy, no longer necessary */
+
Your patch does popen twice and the first popen() is unescaped. This is broken and should not be used. Again, please use the CVS to get a properly patched version of PHP or wait for the bugfix release of PHP which will be out RSN. Kristian
Current thread:
- FWD: Redhat advisory, (continued)
- FWD: Redhat advisory Alfred Huger (Jan 04)
- Re: FWD: Redhat advisory (RPM --upgrade/-U vs. --freshen/-F) Peter W (Jan 04)
- Re: PHP3 safe_mode and popen() David TILLOY (Jan 04)
- Re: PHP3 safe_mode and popen() Thomas Köhler (Jan 05)
- CuteFTP saved password 'encryption' weakness Nick FitzGerald (Jan 05)
- Re: CuteFTP saved password 'encryption' weakness Brian Kifiak (Jan 05)
- Handspring Visor Network HotSync Security Hole Jay C Austad (Jan 05)
- Re: Handspring Visor Network HotSync Security Hole Jim Frost (Jan 06)
- Re: Handspring Visor Network HotSync Security Hole Chris Adams (Jan 07)
- Re: Handspring Visor Network HotSync Security Hole Jason Spence (Jan 06)
- Re: PHP3 safe_mode and popen() Kristian Koehntopp (Jan 06)
- FWD: Redhat advisory Alfred Huger (Jan 04)
- [rootshell] Security Bulletin #27 Kit Knox (Jan 04)