ID: 12119
Updated by: jflemer
Reported By: [EMAIL PROTECTED]
Old Status: Open
Status: Closed
Bug Type: Scripting Engine problem
Operating System: Solaris 8
PHP Version: 4.0.6
Old Assigned To:
Assigned To: jflemer
New Comment:
o Fixed Bug #12119: safe mode owner check can be bypassed with symlink
- [ main/safe_mode.c ] use VCWD_REALPATH to resolve destination
of symlink before trimming filename
Previous Comments:
------------------------------------------------------------------------
[2001-07-12 20:02:23] [EMAIL PROTECTED]
php_checkuid() [ main/safe_mode.c:46 ] first checks the ownership of the file you are
trying to open against the ownership of the executing script.
if that check fails, it checks the ownership of the directory containing the file you
are trying to open. the second part never calls VCWD_REALPATH() on the filename before
trimming it to get the working directory. thus it is simple to bypass safe mode
restrictions.
in a directory you own, create a symlink to say /etc/passwd then include that symlink
in a file you own.
eg:
$ cd $HOME/public_html
$ ln -s /etc/passwd symlink
$ echo '<pre><?php include "symlink"; ?></pre>' > passwd.php
I have a patch (almost) prepared that calls VCWD_REALPATH() on the destination, then
trims the filename in order to get directory permissions.
------------------------------------------------------------------------
Edit this bug report at http://bugs.php.net/?id=12119&edit=1
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
