Bugtraq mailing list archives
Re: php breaks safe mode
From: Laurent Papier <papier () sdv fr>
Date: Mon, 02 Jul 2001 17:02:50 +0200
Joost Pol wrote:
2. PHP Version 4.0.5/4.0.4pl1 SOMETIMES breaks safe_mode. 2.0 - Description of the problem PHP safe_mode has the nice feature of disallowing the opening/reading and writing to files that are not owned by the uid that the script is owned by. Though using some "common sense" it still is possible to open/read and write to files that are owned by the uid the webserver is running as. *notice* assuming that something like suexec is not in place */notice* An attacker could upload a simple script that does the following: <? $cmd = '<? showsource($foo); ?>'; error_log($cmd,3,"/path/to/user/wwwspace/nobody.php"); ?> For example, assuming that the error_log is owned by the webserver it could be read using a simple query: http://foo.bar/~user/nobody.php?foo=/path/to/webserver/logs/access_log 2.1 - Impact Depends on the setup of the hosting box. If suexec or something similiar is used, impact is nihil. See also 1.1.1/1.1.2 2.3 - Solution Disallow the changing of the error_log location in safe_mode? Not really for me to say, the PHP-team will come with something good. Notice: just changing the error_log function wont do, you could also change the ini setting error_log (or another ini setting that has a similiar effect). These ini settings can be set from a user script since they all have PHP_INI_ALL perimissions. Maybe disallow setting of ini variables in safemode?
I think safe_mode should always be used with open_basedir directive in order to limit user filesystem access. As error_log is limited by open_basedir, suexec is not needed to have a secure system as long as open_basedir is correctly set. I see nothing wrong allowing user to use error_log. I don't think PHP-team should change the error-log function. -- Laurent Papier - Admin. systeme Sdv Plurimedia - <http://www.sdv.fr>
Current thread:
- php breaks safe mode Joost Pol (Jul 01)
- Re: php breaks safe mode Laurent Papier (Jul 02)
- Re: php breaks safe mode Joost Pol (Jul 02)
- Re: php breaks safe mode Laurent Papier (Jul 03)
- Re: php breaks safe mode Patrick Oonk (Jul 03)
- Re: php breaks safe mode Joost Pol (Jul 02)
- Re: [BUGTRAQ] php breaks safe mode Joe Harris (Jul 03)
- Re: [BUGTRAQ] php breaks safe mode Joost Pol (Jul 03)
- Re: [BUGTRAQ] php breaks safe mode Raptor (Jul 05)
- Re: [BUGTRAQ] php breaks safe mode H D Moore (Jul 05)
- Re: [BUGTRAQ] php breaks safe mode Steffen Dettmer (Jul 06)
- Re: [BUGTRAQ] php breaks safe mode Joost Pol (Jul 03)
- Re: [BUGTRAQ] php breaks safe mode Steffen Dettmer (Jul 05)
- Re: [BUGTRAQ] php breaks safe mode Sander Steffann (Jul 06)
- Re: php breaks safe mode Laurent Papier (Jul 02)