From: virus at tgu dot ru
Operating system: FreeBSD
PHP version: 5.2.10
PHP Bug Type: Safe Mode/open_basedir
Bug description: proc_open bypass _env_vars restrictions
Description:
------------
Environment variables specified for proc_open passed without check so
safe_mode_allowed_env_vars and safe_mode_protected_env_vars settings are
ignored.
So it become possible to use buffer overflow exploit with
"LD_PRELOAD=evil_library.so" to bypass safe_mode restrictions and get
access to any files acessible for apache uid.
In php.ini:
safe_mode = On
safe_mode_gid = On
safe_mode_include_dir =
safe_mode_exec_dir = /usr/bin/safe
safe_mode_allowed_env_vars = PHP_
safe_mode_protected_env_vars = LD_LIBRARY_PATH
Reproduce code:
---------------
<?
putenv("BLAHBLAH=123");
putenv("LD_LIBRARY_PATH=/no/way");
putenv("PHP_TESTVAR=allowed");
$env = array('BLAHBLAH' => '123', 'LD_LIBRARY_PATH' => '/no/way',
'PHP_TESTVAR' => 'allowed');
$dptspec = array(0 => array("pipe", "r"),
1 => array("pipe", "w"));
$fp = proc_open('env', $dptspec, $pipes, './', $env);
echo "<pre>";
while(!feof($pipes[1])) echo fgets($pipes[1], 1024);
fclose($pipes[1]);
echo "</pre>";
?>
Expected result:
----------------
Warning: putenv() [function.putenv]: Safe Mode warning: Cannot set
environment variable 'BLAHBLAH' - it's not in the allowed list in
/my/path/test.php on line 2
Warning: putenv() [function.putenv]: Safe Mode warning: Cannot override
protected environment variable 'LD_LIBRARY_PATH' in /my/path/test.php on
line 3
PHP_TESTVAR=allowed
PWD=/my/path
Actual result:
--------------
Warning: putenv() [function.putenv]: Safe Mode warning: Cannot set
environment variable 'BLAHBLAH' - it's not in the allowed list in
/my/path/test.php on line 2
Warning: putenv() [function.putenv]: Safe Mode warning: Cannot override
protected environment variable 'LD_LIBRARY_PATH' in /my/path/test.php on
line 3
LD_LIBRARY_PATH=/no/way
PHP_TESTVAR=allowed
BLAHBLAH=123
PWD=/my/path
--
Edit bug report at http://bugs.php.net/?id=49026&edit=1
--
Try a snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=49026&r=trysnapshot52
Try a snapshot (PHP 5.3):
http://bugs.php.net/fix.php?id=49026&r=trysnapshot53
Try a snapshot (PHP 6.0):
http://bugs.php.net/fix.php?id=49026&r=trysnapshot60
Fixed in SVN:
http://bugs.php.net/fix.php?id=49026&r=fixed
Fixed in SVN and need be documented:
http://bugs.php.net/fix.php?id=49026&r=needdocs
Fixed in release:
http://bugs.php.net/fix.php?id=49026&r=alreadyfixed
Need backtrace:
http://bugs.php.net/fix.php?id=49026&r=needtrace
Need Reproduce Script:
http://bugs.php.net/fix.php?id=49026&r=needscript
Try newer version:
http://bugs.php.net/fix.php?id=49026&r=oldversion
Not developer issue:
http://bugs.php.net/fix.php?id=49026&r=support
Expected behavior:
http://bugs.php.net/fix.php?id=49026&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=49026&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=49026&r=submittedtwice
register_globals:
http://bugs.php.net/fix.php?id=49026&r=globals
PHP 4 support discontinued: http://bugs.php.net/fix.php?id=49026&r=php4
Daylight Savings: http://bugs.php.net/fix.php?id=49026&r=dst
IIS Stability:
http://bugs.php.net/fix.php?id=49026&r=isapi
Install GNU Sed:
http://bugs.php.net/fix.php?id=49026&r=gnused
Floating point limitations:
http://bugs.php.net/fix.php?id=49026&r=float
No Zend Extensions:
http://bugs.php.net/fix.php?id=49026&r=nozend
MySQL Configuration Error:
http://bugs.php.net/fix.php?id=49026&r=mysqlcfg
