ID: 45997
Updated by: paj...@php.net
Reported By: johannesdahse at gmx dot de
-Status: Open
+Status: Assigned
Bug Type: Safe Mode/open_basedir
Operating System: win32 only
PHP Version: 5.2.6
-Assigned To:
+Assigned To: pajoye
Previous Comments:
------------------------------------------------------------------------
[2008-09-04 19:03:37] johannesdahse at gmx dot de
Description:
------------
safe_mode bypass with a preceding backslash. tested with exec(),
system() and passthru(). on windows only.
Sorry, I do feel this bug concerns a security issue but I got no
response from secur...@php.net after sending 2 emails from 2 different
accounts about 6 weeks ago.
Reproduce code:
---------------
on commandline:
php -n -d safe_mode=on -r "exec('\ping 192.168.222.1');"
with PHP script and enabled safe_mode in php.ini:
<? exec('\ping 192.168.222.1'); ?>
Expected result:
----------------
safe_mode turned on should block code execution from exec() and other
functions.
Actual result:
--------------
By adding a backslash infront of the command the command got executed
anyhow.
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=45997&edit=1
