[21308] in bugtraq
Re: php breaks safe mode
daemon@ATHENA.MIT.EDU (Laurent Papier)
Mon Jul 2 16:49:14 2001
Message-ID: <3B408D1A.8CD60142@sdv.fr>
Date: Mon, 02 Jul 2001 17:02:50 +0200
From: Laurent Papier <papier@sdv.fr>
MIME-Version: 1.0
To: Joost Pol <joost@contempt.nl>
Cc: bugtraq@securityfocus.com
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Joost Pol wrote:
> 2. PHP Version 4.0.5/4.0.4pl1 SOMETIMES breaks safe_mode.
>
> 2.0 - Description of the problem
>
> PHP safe_mode has the nice feature of disallowing the opening/reading
> and writing to files that are not owned by the uid that the script
> is owned by.
>
> Though using some "common sense" it still is possible to open/read
> and write to files that are owned by the uid the webserver is
> running as.
>
> *notice* assuming that something like suexec is not in place */notice*
>
> An attacker could upload a simple script that does the following:
>
> <?
> $cmd = '<? showsource($foo); ?>';
> error_log($cmd,3,"/path/to/user/wwwspace/nobody.php");
> ?>
>
> For example, assuming that the error_log is owned by the webserver it
> could be read using a simple query:
>
> http://foo.bar/~user/nobody.php?foo=/path/to/webserver/logs/access_log
>
> 2.1 - Impact
>
> Depends on the setup of the hosting box.
>
> If suexec or something similiar is used, impact is nihil.
>
> See also 1.1.1/1.1.2
>
> 2.3 - Solution
>
> Disallow the changing of the error_log location in safe_mode?
>
> Not really for me to say, the PHP-team will come with something good.
>
> Notice: just changing the error_log function wont do, you could also
> change the ini setting error_log (or another ini setting
> that has a similiar effect).
>
> These ini settings can be set from a user script since they
> all have PHP_INI_ALL perimissions.
>
> Maybe disallow setting of ini variables in safemode?
I think safe_mode should always be used with open_basedir directive in
order to limit user filesystem access.
As error_log is limited by open_basedir, suexec is not needed to have a
secure system as long as open_basedir is correctly set.
I see nothing wrong allowing user to use error_log.
I don't think PHP-team should change the error-log function.
--
Laurent Papier - Admin. systeme
Sdv Plurimedia - <http://www.sdv.fr>
