ID: 49026 Updated by: il...@php.net Reported By: virus at tgu dot ru -Status: Open +Status: Closed Bug Type: Safe Mode/open_basedir Operating System: FreeBSD PHP Version: 5.2.10 New Comment:
This bug has been fixed in SVN. Snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. Thank you for the report, and for helping us make PHP better. Previous Comments: ------------------------------------------------------------------------ [2009-07-26 15:14:19] s...@php.net Automatic comment from SVN on behalf of iliaa Revision: http://svn.php.net/viewvc/?view=revision&revision=286360 Log: Fixed bug #49026 (proc_open() can bypass safe_mode_protected_env_vars restrictions). ------------------------------------------------------------------------ [2009-07-23 09:10:24] virus at tgu dot ru I think $env parameter of proc_open() should be disabled in safe_mode. ------------------------------------------------------------------------ [2009-07-23 08:36:28] virus at tgu dot ru Description: ------------ Environment variables specified for proc_open passed without check so safe_mode_allowed_env_vars and safe_mode_protected_env_vars settings are ignored. So it become possible to use buffer overflow exploit with "LD_PRELOAD=evil_library.so" to bypass safe_mode restrictions and get access to any files acessible for apache uid. In php.ini: safe_mode = On safe_mode_gid = On safe_mode_include_dir = safe_mode_exec_dir = /usr/bin/safe safe_mode_allowed_env_vars = PHP_ safe_mode_protected_env_vars = LD_LIBRARY_PATH Reproduce code: --------------- <? putenv("BLAHBLAH=123"); putenv("LD_LIBRARY_PATH=/no/way"); putenv("PHP_TESTVAR=allowed"); $env = array('BLAHBLAH' => '123', 'LD_LIBRARY_PATH' => '/no/way', 'PHP_TESTVAR' => 'allowed'); $dptspec = array(0 => array("pipe", "r"), 1 => array("pipe", "w")); $fp = proc_open('env', $dptspec, $pipes, './', $env); echo "<pre>"; while(!feof($pipes[1])) echo fgets($pipes[1], 1024); fclose($pipes[1]); echo "</pre>"; ?> Expected result: ---------------- Warning: putenv() [function.putenv]: Safe Mode warning: Cannot set environment variable 'BLAHBLAH' - it's not in the allowed list in /my/path/test.php on line 2 Warning: putenv() [function.putenv]: Safe Mode warning: Cannot override protected environment variable 'LD_LIBRARY_PATH' in /my/path/test.php on line 3 PHP_TESTVAR=allowed PWD=/my/path Actual result: -------------- Warning: putenv() [function.putenv]: Safe Mode warning: Cannot set environment variable 'BLAHBLAH' - it's not in the allowed list in /my/path/test.php on line 2 Warning: putenv() [function.putenv]: Safe Mode warning: Cannot override protected environment variable 'LD_LIBRARY_PATH' in /my/path/test.php on line 3 LD_LIBRARY_PATH=/no/way PHP_TESTVAR=allowed BLAHBLAH=123 PWD=/my/path ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=49026&edit=1
