ID:               43660
 Updated by:       [EMAIL PROTECTED]
 Reported By:      greg at gguldens dot org
-Status:           Open
+Status:           Bogus
 Bug Type:         Safe Mode/open_basedir
 Operating System: Centos 5
 PHP Version:      5.2.5
 New Comment:

>If, however, you put a symbolic link named sendmail in the root 
>directory that points to /usr/lib/sendmail, PHP will execute
>the program perfectly.

Setting an empty value to safe_mode_exec_dir and creating a symlink in
root requires administrative privileges, which means you need to think
what you're doing and PHP can't fix your mistakes.


Previous Comments:
------------------------------------------------------------------------

[2007-12-23 02:47:29] greg at gguldens dot org

Description:
------------
Using popen to execute a program such as /usr/lib/sendmail when running
PHP in safe mode and with the safe_mode_exec_dir directive being null,
PHP still attempts to execute the named program in the root directory. 
I believe this has the potential to be exploited as a hacking mechanism
if the behavior is not changed.

Reproduce code:
---------------
use popen in safe mode to try and execute /usr/lib/sendmail.  PHP will
return a 127 error.  If, however, you put a symbolic link named sendmail
in the root directory that points to /usr/lib/sendmail, PHP will execute
the program perfectly.

Expected result:
----------------
If the safe_mode_exec_dir directive in the PHP.ini file has a null
value, then it would seem proper to not allow PHP to execute any program
via a popen.  Only if there is a value associated with the
safe_mode_exec_dir directive should PHP actually execute a program.

As an additional suggestion, the safe_mode_exec_dir directive could be
defaulted to some directory such as "/usr/php_safe_exec" where users
could place links to programs outside the safe exec directory.  This
would seem to be a much more secure solution than encouraging a user to
place /usr/lib, /usr/bin, /use/sbin, or other directory that may contain
executables that could be used to compromise the system if an entire
pre-populated system directory was placed into this directive.



------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=43660&edit=1

Reply via email to