Bugtraq mailing list archives
Re: php breaks safe mode
From: Laurent Papier <papier () sdv fr>
Date: Tue, 03 Jul 2001 10:20:49 +0200
Joost Pol wrote:
This will only help when the directory specified in the open_basedir directive is a directory in which php code is not interperted. Or a directory which is not accesible by the user. If the directory specified is still accesible by the user, a "malicous" user could log php-code to an error log and have it interperted. Since the error log would be owned by the uid of the webserver, the phpcode logged to the errorlog will be executed with the uid of the webserver. (eg: log 'showsource($foo)' to bar.php3 and then later execute the bar.php3 script. bar.php3?foo=/path/to/access_log) The user could then read and/or write to files owned by the uid of the webserver. (not a Good Thing)
Again I disagree. For me there are 2 cases: 1) A user with a valid PHP dev. access (via FTP for exemple). His scripts run in safe_mode and are limited with open_basedir. As error_log is limited by open_basedir, he cannot use this function to escape from open_basedir and break safe_mode. And creating an error log in open_basedir with PHP code in it, is not a problem as we have assume that the user have a valid PHP dev. access in open_basedir.
An attacker could upload a simple script that does the following: <? $cmd = '<? showsource($foo); ?>'; error_log($cmd,3,"/path/to/user/wwwspace/nobody.php"); ?>
2) An attacker user who can upload and execute a PHP script 's1' (this is what you assume in your description) with error_log call in it in order to generate another file with PHP code 's2' in it. It should be must simplier to directly upload 's2', isn't it ? And if for you error_log is a security problem, I guess fopen/fwrite ... are also a security problem as the attacker can also use fopen/fwrite function to create the file 's2' in /tmp for example. In this case the problem is that the attacker is able to upload and execute a PHP script. And this is not PHP safe_mode fault. So for me error_log do not break safe_mode. -- Laurent Papier - Admin. systeme Sdv Plurimedia - <http://www.sdv.fr>
Current thread:
- php breaks safe mode Joost Pol (Jul 01)
- Re: php breaks safe mode Laurent Papier (Jul 02)
- Re: php breaks safe mode Joost Pol (Jul 02)
- Re: php breaks safe mode Laurent Papier (Jul 03)
- Re: php breaks safe mode Patrick Oonk (Jul 03)
- Re: php breaks safe mode Joost Pol (Jul 02)
- Re: [BUGTRAQ] php breaks safe mode Joe Harris (Jul 03)
- Re: [BUGTRAQ] php breaks safe mode Joost Pol (Jul 03)
- Re: [BUGTRAQ] php breaks safe mode Raptor (Jul 05)
- Re: [BUGTRAQ] php breaks safe mode H D Moore (Jul 05)
- Re: [BUGTRAQ] php breaks safe mode Steffen Dettmer (Jul 06)
- Re: [BUGTRAQ] php breaks safe mode Joost Pol (Jul 03)
- Re: [BUGTRAQ] php breaks safe mode Steffen Dettmer (Jul 05)
- Re: [BUGTRAQ] php breaks safe mode Sander Steffann (Jul 06)
- Re: php breaks safe mode Laurent Papier (Jul 02)