From:             [EMAIL PROTECTED]
Operating system: Solaris 8
PHP version:      4.0.6
PHP Bug Type:     Scripting Engine problem
Bug description:  safe mode owner check can be bypassed with symlink

php_checkuid() [ main/safe_mode.c:46 ] first checks the ownership of the
file you are trying to open against the ownership of the executing

if that check fails, it checks the ownership of the directory containing
the file you are trying to open. the second part never calls
VCWD_REALPATH() on the filename before trimming it to get the working
directory. thus it is simple to bypass safe mode restrictions.

in a directory you own, create a symlink to say /etc/passwd then include
that symlink in a file you own.

$ cd $HOME/public_html
$ ln -s /etc/passwd symlink
$ echo '<pre><?php include "symlink"; ?></pre>' > passwd.php

I have a patch (almost) prepared that calls VCWD_REALPATH() on the
destination, then trims the filename in order to get directory permissions.

Edit bug report at:

PHP Development Mailing List <>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to