#46831 [Opn->Fbk]: safe mode bypass in readdir(), realpath()

Tue, 16 Dec 2008 10:58:33 -0800 

 ID:               46831
 Updated by:       il...@php.net
 Reported By:      cmos_clr at hotmail dot com
-Status:           Open
+Status:           Feedback
 Bug Type:         Safe Mode/open_basedir
 Operating System: linux
 PHP Version:      5.2CVS-2008-12-11 (snap)
 New Comment:

Where is the security issue, you get an appropriate error about access

denied it would seem, no?


Previous Comments:
------------------------------------------------------------------------

[2008-12-11 04:36:18] cmos_clr at hotmail dot com

Description:
------------
::_::_::_::_::_::_::_::_::_::_::::_::_::_::_::_::_::_::_::_::_::::_::_::_::_::_::_::_::_::_::_::_::

::
::Found by  :  CmOs_CLR & hard_hakerz
::
::MAILS     :  cmos_...@hotmail.com & hard_hak...@hotmail.com
::
::SITE      :  wwW.SEC4EVER.coM
::
::-----------ABOUT Software:---------------- 
::
::VERSION   : PHP 5.2.6
::
::Vendor    : http://www.php.net
::
::------------------------------------------
::
::
::Responsible Functions : readdir() , realpath()
::
::WHERE IS THE PROBLEM ?
::
::IN SERVERS WITH SAFE MODE ON AND * getmyuid() * DISABLED WE CAN  
::BYPASS THIS.
::
::FIRST THIS ERROR WILL RESULT : getmyuid() has been disabled for
::security reasons.
::
::FOR readdir() :
::
::  
::  <?php
::  if ($handle = opendir('.')) {
::      while (false !== ($file = readdir($handle))) {
::          if ($file != "." && $file != "..") {
::              echo "$file\n";
::          }
::      }
::      closedir($handle);
::  }
::  ?>
::
::for realpath() :
::
::
::  <?php
::  echo realpath('/etc/passwd');
::  ?>
::
::THE RESULTAT IS :
:: The script whose *uid is 100* is not allowed to access /etc/passwd
::owned by uid 0 in 
:: /home/*user*/domains/site.com/public_html/function.php on line xx
::
::NOTE : a lot of others function can result this error "getmyuid()
::bypass "  un attacker can take a lot of information from this 
::error. like is the safe mode activat from http.conf or php.ini? the
::user of a site who? = user of ftp this can simplify a ftpbrute
::forcing only the case of pass because the user is known ......etc 
::this error is getmyuid() bypass in disabled fuction .
::
::
::thanks+good luck
::
::
::



------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=46831&edit=1

Reply via email to