Bugtraq mailing list archives
Re: [BUGTRAQ] php breaks safe mode
From: Joe Harris <cdi () thewebmasters net>
Date: Mon, 2 Jul 2001 15:12:43 -0700 (PDT)
On Sat, 30 Jun 2001, Joost Pol wrote:
Subject : PHP safe_mode troubles.
[many snips throughout]
An attacker could easily upload a simple evil.php script containing: <? mail("foo@bar,"foo","bar","",$bar); ?>
If an intruder can upload PHP code, what's to stop them from uploading an even meaner bit-o-code? In some other language? There is something fundamentally flawed in the logic of claiming safe_mode as "broken" if the means to abuse that flaw is predicated upon an intruder already having write access to the file system... a situation I think most would agree as being catastrophic to the integrity of the host, "safe_mode" or no "safe_mode". Is it a bug? Sure. Is it worthy of a Bugtraq posting? Barely.
A customer has bougt some web space from a provider and is given only ftp access to upload his files. The customer is not supposed to have shell access nor view files outside of his home directory. The customer could easily upload and compile a "lite" version of the popular netcat tool (cd /usr/ports/*/netcat;make clean;make&&make install) and spawn him self a remote shell on the hosting boxen.
Or install a C/Perl/Tcl/sh/ etc etc shell emulating CGI to do the same thing. If the person has write access to the file system there is very little that will stop them from being able to execute shell commands, install and run netcat, or any of a myriad of other privilege escalation or "local root" attacks.
An attacker could upload a simple script that does the following:
Once again, your attack is predicated upon a malicious intruder having write access to the file system. Once that level of access has been obtained, you are already at the intruders mercy. Anything else the intruder finds on the file system, including a minor bug in PHP, is pure gravy. __ http://www.thewebmasters.net/ "Well, I'll fetch a spammer, you fetch an iMac, some baby oil, and some burly mechanics to assist with the insertion, and we'll Advance Science!" -- Patrick Wade in the Monastery
Current thread:
- php breaks safe mode Joost Pol (Jul 01)
- Re: php breaks safe mode Laurent Papier (Jul 02)
- Re: php breaks safe mode Joost Pol (Jul 02)
- Re: php breaks safe mode Laurent Papier (Jul 03)
- Re: php breaks safe mode Patrick Oonk (Jul 03)
- Re: php breaks safe mode Joost Pol (Jul 02)
- Re: [BUGTRAQ] php breaks safe mode Joe Harris (Jul 03)
- Re: [BUGTRAQ] php breaks safe mode Joost Pol (Jul 03)
- Re: [BUGTRAQ] php breaks safe mode Raptor (Jul 05)
- Re: [BUGTRAQ] php breaks safe mode H D Moore (Jul 05)
- Re: [BUGTRAQ] php breaks safe mode Steffen Dettmer (Jul 06)
- Re: [BUGTRAQ] php breaks safe mode Joost Pol (Jul 03)
- Re: [BUGTRAQ] php breaks safe mode Steffen Dettmer (Jul 05)
- Re: [BUGTRAQ] php breaks safe mode Sander Steffann (Jul 06)
- Re: php breaks safe mode Laurent Papier (Jul 02)