#32421 [Opn->Bgs]: Execution functions bypass safe_mode configurations

Tue, 22 Mar 2005 23:24:04 -0800 

 ID:               32421
 Updated by:       [EMAIL PROTECTED]
 Reported By:      ricardi at gmail dot com
-Status:           Open
+Status:           Bogus
 Bug Type:         Program Execution
 Operating System: *nix (Tested on Linux)
 PHP Version:      4.3.10
 New Comment:

Disable system() and other exec functions then.
PHP is unable to prevent you to shoot your leg or to format harddrive
with a binary called by a binary.


Previous Comments:
------------------------------------------------------------------------

[2005-03-23 01:10:23] ricardi at gmail dot com

Description:
------------
We bypass the safe_mode restrictions using binary with "system"
function built-in. The problem occurs when we had an incident in a mass
virtualhost machine. One of the domains, execute a script that bypass
the safe_mode restrictions like open_base_dir and safe_mode_exec_dir. 

The configurations in the virtualhost was like:

<VirtualHost *>
ServerName www.something.com
ServerPath /mnt/nfs/domains/something.com.br/www
php_admin_value open_basedir /mnt/nfs/domains/something.com.br/
php_admin_value upload_tmp_dir /mnt/nfs/domains/something.com.br/
php_admin_value safe_mode_include_dir
/mnt/nfs/domains/something.com.br/
php_admin_value safe_mode_exec_dir /mnt/nfs/domains/something.com.br/
...

</VirtualHost>

We create a simple program in "C" that create a file outside the
open_basedir and execute a binary that isn't in the
safe_mode_exec_dir:
/* ---------------
Contents of file.c 
 ---------------- */

#include <stdio.h>

int main() {
        system("find / -maxdepth 1 > /tmp/trash.txt");
        return 0;
}

Compiling: gcc -o file file.c

With an ftp access, we put the file in the safe_mode_exec_dir:

> ls -la mnt/nfs/domains/something.com.br/
-rwxr-xr-x    1 nfsnobod nfsnobod    13576 Mar 22 16:57 file

Now create a php script that calls the binary.

<?php
system("file");
?>

Then put this on the webroot and after accessing the script with
http://www.something.com.br/script.php, check the /tmp:

> ls -la /tmp
-rw-r--r--    1 nfsnobody     nfsnobody          139 Mar 22 21:00
trash.txt

We had to disable the execution feature from our product. 



------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=32421&edit=1

Reply via email to