Re: Fun with mod_php/Apache 1.3, yet Apache much better than II$

[Stefan Esser <s.esser () e-matters de>]

On Wed, Nov 06, 2002 at 08:15:48PM +0200, Georgi Guninski wrote:

> I. Apache and php were notified on Tue, 15 Oct 2002 18:16:40 +0300
> The Apache guys seem to prepare a fix. The php guys replied this is known
> for ages but did not provide reference for the claims.

It is known for ages because it is a UNIX design decision to inherit
file descriptors on exec. Thats why most derivates support a CLOSE ON
EXEC flag. I told you several times that I used the fd leakage in my
e-matters PHP exploits to clean the apache log files for demonstration.
This code belongs to e-matters and cannot made public...
Now you can say: okay logfiles, but sockets are different... 
However I also told you guys to look into php4/main/main.c there is
a comment somewhere in the code (within ...shutdown_for_exec()) that
says (since 4.0.0) that we cannot close the fds at that place because
it caused troubles (with 3rd party libs etc...) Taking care of the
open fds would mean mod_php had to do unecessary extra forks() in
front of all 3rd party library calls that could maybe execute external
programs. And in front of all popens()...

However I told you also that you should disable all exec functions
in hosted environments via php.ini because there can always be kernel
bugs or suid bugs on the box that could be exploited.

Anyway, nice work Mr. Guninski.

Stefan Esser


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html