Bug #17163 Updated: rename() bypasses safe_mode

Sun, 12 May 2002 08:22:32 -0700 

 ID:               17163
 Updated by:       [EMAIL PROTECTED]
 Reported By:      [EMAIL PROTECTED]
-Status:           Bogus
+Status:           Open
 Bug Type:         Scripting Engine problem
 Operating System: Linux 2.4.18
 PHP Version:      4.2.0
 New Comment:

mkdir test;
ls -ld test drwxr-xr-x   2 forum    forum        4096 May 12 11:33
test

ls -l a.php
-rw-rw-rw-   1 www      www            44 May 12 10:57 a.php
a.php:
<?php rename('test', 'test3'); ?>

Script runs without errors, end result:

ls -ld test3
drwxr-xr-x   2 forum    forum        4096 May 12 11:35
test3

It works with files as well as directories.


Previous Comments:
------------------------------------------------------------------------

[2002-05-12 11:38:37] [EMAIL PROTECTED]

mkdir test;
ls -ld test drwxr-xr-x   2 forum    forum        4096 May 12 11:33
test

ls -l a.php
-rw-rw-rw-   1 www      www            44 May 12 10:57 a.php
a.php:
<?php rename('test', 'test3'); ?>

Script runs without errors, end result:

ls -ld test3 drwxr-xr-x   2 forum    forum        4096 May 12 11:35
test3

------------------------------------------------------------------------

[2002-05-12 11:22:27] [EMAIL PROTECTED]

Just to follow up on this because I can already see your mind working
on how this might be exploited through a script making a copy of itself
and now having the web server user id as its owner.  The theory is that
the web server user id does not own any system critical directories and
user directories are supposed to be owned by individual users so the
only potential for an exploit would be a cloned script renaming
something in a directory created by another user through a web
interface, but that is a bit of a tradeoff I made on purpose way back
when.

------------------------------------------------------------------------

[2002-05-12 11:18:03] [EMAIL PROTECTED]

Actually, we allow a rename in a directory if that directory is owned
by the same user id as the running script.  So this one is not a bug. 
Verify this statement and re-open if you find that this is not the
case.

------------------------------------------------------------------------

[2002-05-12 11:00:06] [EMAIL PROTECTED]

rename() function can be used to rename files a user has no access to
according to safe_mode.

Ex.

touch test
<?php rename('test', 'test2'); ?>

------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=17163&edit=1

Reply via email to