ID: 12119
Updated by: jflemer
Old Status: Open
Status: Closed
Bug Type: Scripting Engine problem
Operating System: Solaris 8
PHP Version: 4.0.6
Old Assigned To: 
Assigned To: jflemer
New Comment:

o Fixed Bug #12119: safe mode owner check can be bypassed with symlink
  - [ main/safe_mode.c ] use VCWD_REALPATH to resolve destination
    of symlink before trimming filename

Previous Comments:

[2001-07-12 20:02:23] [EMAIL PROTECTED]

php_checkuid() [ main/safe_mode.c:46 ] first checks the ownership of the file you are 
trying to open against the ownership of the executing script.

if that check fails, it checks the ownership of the directory containing the file you 
are trying to open. the second part never calls VCWD_REALPATH() on the filename before 
trimming it to get the working directory. thus it is simple to bypass safe mode 

in a directory you own, create a symlink to say /etc/passwd then include that symlink 
in a file you own.

$ cd $HOME/public_html
$ ln -s /etc/passwd symlink
$ echo '<pre><?php include "symlink"; ?></pre>' > passwd.php

I have a patch (almost) prepared that calls VCWD_REALPATH() on the destination, then 
trims the filename in order to get directory permissions. 


Edit this bug report at

PHP Development Mailing List <>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to