From: greg at gguldens dot org Operating system: Centos 5 PHP version: 5.2.5 PHP Bug Type: Safe Mode/open_basedir Bug description: null value in safe_mode_exec_dir still executes program in root dir
Description: ------------ Using popen to execute a program such as /usr/lib/sendmail when running PHP in safe mode and with the safe_mode_exec_dir directive being null, PHP still attempts to execute the named program in the root directory. I believe this has the potential to be exploited as a hacking mechanism if the behavior is not changed. Reproduce code: --------------- use popen in safe mode to try and execute /usr/lib/sendmail. PHP will return a 127 error. If, however, you put a symbolic link named sendmail in the root directory that points to /usr/lib/sendmail, PHP will execute the program perfectly. Expected result: ---------------- If the safe_mode_exec_dir directive in the PHP.ini file has a null value, then it would seem proper to not allow PHP to execute any program via a popen. Only if there is a value associated with the safe_mode_exec_dir directive should PHP actually execute a program. As an additional suggestion, the safe_mode_exec_dir directive could be defaulted to some directory such as "/usr/php_safe_exec" where users could place links to programs outside the safe exec directory. This would seem to be a much more secure solution than encouraging a user to place /usr/lib, /usr/bin, /use/sbin, or other directory that may contain executables that could be used to compromise the system if an entire pre-populated system directory was placed into this directive. -- Edit bug report at http://bugs.php.net/?id=43660&edit=1 -- Try a CVS snapshot (PHP 4.4): http://bugs.php.net/fix.php?id=43660&r=trysnapshot44 Try a CVS snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=43660&r=trysnapshot52 Try a CVS snapshot (PHP 5.3): http://bugs.php.net/fix.php?id=43660&r=trysnapshot53 Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=43660&r=trysnapshot60 Fixed in CVS: http://bugs.php.net/fix.php?id=43660&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=43660&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=43660&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=43660&r=needscript Try newer version: http://bugs.php.net/fix.php?id=43660&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=43660&r=support Expected behavior: http://bugs.php.net/fix.php?id=43660&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=43660&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=43660&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=43660&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=43660&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=43660&r=dst IIS Stability: http://bugs.php.net/fix.php?id=43660&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=43660&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=43660&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=43660&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=43660&r=mysqlcfg
