Bugtraq mailing list archives
PHP3 safe_mode and popen()
From: kris () KOEHNTOPP DE (Kristian Koehntopp)
Date: Mon, 3 Jan 2000 22:47:40 +0100
PHP3 (http://www.php.net) is a scripting language used in many webhosting setups. Often in hosting setups so called "safe_mode" is enabled, which restricts the user in many ways. For example, in safe_mode you are supposed to be able to execute only programs from a safe_mode_exec_dir, if one is defined. Within that directory there should be only a restricted command set that is considered safe. When safe_mode is enabled, PHP3 is supposed to apply EscapeShellCmd() to each shell command to prevent the user from breaking out of this directory. As it turns out, the popen() function does not do this in safe_mode. I was able to set up a web server with safe_mode enabled and a safe_mode_exec_dir containing only "ls". I then wrote the following script: <?php $fp = popen("ls -l /opt/bin; /usr/bin/id", "r"); echo "$fp<br>\n"; while($line = fgets($fp, 1024)): printf("%s<br>\n", $line); endwhile; pclose($fp); phpinfo(); ?> which gave me the following output 1 total 53 -rwxr-xr-x 1 root root 52292 Jan 3 22:05 ls uid=30(wwwrun) gid=65534(nogroup) groups=65534(nogroup) and from the configuration values of phpinfo(): safe_mode 0 1 The following patch against functions/file.c fixes the problem, I hope: Index: functions/file.c =================================================================== RCS file: /repository/php3/functions/file.c,v retrieving revision 1.229 retrieving revision 1.230 diff -u -r1.229 -r1.230 --- functions/file.c 2000/01/01 04:31:15 1.229 +++ functions/file.c 2000/01/03 21:31:31 1.230 @@ -26,7 +26,7 @@ | Authors: Rasmus Lerdorf <rasmus () lerdorf on ca> | +----------------------------------------------------------------------+ */ -/* $Id: file.c,v 1.229 2000/01/01 04:31:15 sas Exp $ */ +/* $Id: file.c,v 1.230 2000/01/03 21:31:31 kk Exp $ */ #include "php.h" #include <stdio.h> @@ -51,6 +51,7 @@ #include "safe_mode.h" #include "php3_list.h" #include "php3_string.h" +#include "exec.h" #include "file.h" #if HAVE_PWD_H #if MSVC5 @@ -575,7 +576,7 @@ pval *arg1, *arg2; FILE *fp; int id; - char *p; + char *p, *tmp = NULL; char *b, buf[1024]; TLS_VARS; @@ -600,7 +601,11 @@ } else { snprintf(buf,sizeof(buf),"%s/%s",php3_ini.safe_mode_exec_dir,arg1->value.str.val); } - fp = popen(buf,p); + + tmp = _php3_escapeshellcmd(buf); + fp = popen(tmp,p); + efree(tmp); /* temporary copy, no longer necessary */ + if (!fp) { php3_error(E_WARNING,"popen(\"%s\",\"%s\") - %s",buf,p,strerror(errno)); RETURN_FALSE; As a web hoster, you should not rely on safe_mode for security, but use the CGI version of PHP in a chroot()ed environment instead. Kristian
Current thread:
- PHP3 safe_mode and popen() Kristian Koehntopp (Jan 03)
- FWD: Redhat advisory Alfred Huger (Jan 04)
- Re: FWD: Redhat advisory (RPM --upgrade/-U vs. --freshen/-F) Peter W (Jan 04)
- Re: PHP3 safe_mode and popen() David TILLOY (Jan 04)
- Re: PHP3 safe_mode and popen() Thomas Köhler (Jan 05)
- CuteFTP saved password 'encryption' weakness Nick FitzGerald (Jan 05)
- Re: CuteFTP saved password 'encryption' weakness Brian Kifiak (Jan 05)
- Handspring Visor Network HotSync Security Hole Jay C Austad (Jan 05)
- Re: Handspring Visor Network HotSync Security Hole Jim Frost (Jan 06)
- Re: Handspring Visor Network HotSync Security Hole Chris Adams (Jan 07)
- Re: Handspring Visor Network HotSync Security Hole Jason Spence (Jan 06)
- FWD: Redhat advisory Alfred Huger (Jan 04)