ID: 12119 Comment by: swingers-b23 at hotmail dot com Reported By: jflemer at acm dot jhu dot edu Status: Closed Bug Type: Scripting Engine problem Operating System: Solaris 8 PHP Version: 4.0.6 Assigned To: jflemer New Comment:
<a href=http://b-covered-swingers.da.ru>b swingers</a> Previous Comments: ------------------------------------------------------------------------ [2001-07-13 14:24:38] [EMAIL PROTECTED] o Fixed Bug #12119: safe mode owner check can be bypassed with symlink - [ main/safe_mode.c ] use VCWD_REALPATH to resolve destination of symlink before trimming filename ------------------------------------------------------------------------ [2001-07-12 20:02:23] jflemer at acm dot jhu dot edu php_checkuid() [ main/safe_mode.c:46 ] first checks the ownership of the file you are trying to open against the ownership of the executing script. if that check fails, it checks the ownership of the directory containing the file you are trying to open. the second part never calls VCWD_REALPATH() on the filename before trimming it to get the working directory. thus it is simple to bypass safe mode restrictions. in a directory you own, create a symlink to say /etc/passwd then include that symlink in a file you own. eg: $ cd $HOME/public_html $ ln -s /etc/passwd symlink $ echo '<pre><?php include "symlink"; ?></pre>' > passwd.php I have a patch (almost) prepared that calls VCWD_REALPATH() on the destination, then trims the filename in order to get directory permissions. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=12119&edit=1
