ID: 43660 Updated by: [EMAIL PROTECTED] Reported By: greg at gguldens dot org -Status: Open +Status: Bogus Bug Type: Safe Mode/open_basedir Operating System: Centos 5 PHP Version: 5.2.5 New Comment:
>If, however, you put a symbolic link named sendmail in the root >directory that points to /usr/lib/sendmail, PHP will execute >the program perfectly. Setting an empty value to safe_mode_exec_dir and creating a symlink in root requires administrative privileges, which means you need to think what you're doing and PHP can't fix your mistakes. Previous Comments: ------------------------------------------------------------------------ [2007-12-23 02:47:29] greg at gguldens dot org Description: ------------ Using popen to execute a program such as /usr/lib/sendmail when running PHP in safe mode and with the safe_mode_exec_dir directive being null, PHP still attempts to execute the named program in the root directory. I believe this has the potential to be exploited as a hacking mechanism if the behavior is not changed. Reproduce code: --------------- use popen in safe mode to try and execute /usr/lib/sendmail. PHP will return a 127 error. If, however, you put a symbolic link named sendmail in the root directory that points to /usr/lib/sendmail, PHP will execute the program perfectly. Expected result: ---------------- If the safe_mode_exec_dir directive in the PHP.ini file has a null value, then it would seem proper to not allow PHP to execute any program via a popen. Only if there is a value associated with the safe_mode_exec_dir directive should PHP actually execute a program. As an additional suggestion, the safe_mode_exec_dir directive could be defaulted to some directory such as "/usr/php_safe_exec" where users could place links to programs outside the safe exec directory. This would seem to be a much more secure solution than encouraging a user to place /usr/lib, /usr/bin, /use/sbin, or other directory that may contain executables that could be used to compromise the system if an entire pre-populated system directory was placed into this directive. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=43660&edit=1