[21323] in bugtraq
Re: [BUGTRAQ] php breaks safe mode
daemon@ATHENA.MIT.EDU (Joost Pol)
Tue Jul 3 14:30:37 2001
Date: Tue, 3 Jul 2001 02:04:14 +0200
From: Joost Pol <joost@contempt.nl>
To: Joe Harris <cdi@thewebmasters.net>
Cc: bugtraq@securityfocus.com
Message-ID: <20010703020414.A48429@badcoding.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <Pine.LNX.3.95.1010702150322.10419A-100000@animal.blarg.net>; from cdi@thewebmasters.net on Mon, Jul 02, 2001 at 03:12:43PM -0700
On Mon, Jul 02, 2001 at 03:12:43PM -0700, Joe Harris wrote:
> On Sat, 30 Jun 2001, Joost Pol wrote:
>
> If an intruder can upload PHP code, what's to stop them from uploading an
> even meaner bit-o-code? In some other language?
>
> There is something fundamentally flawed in the logic of claiming safe_mode
> as "broken" if the means to abuse that flaw is predicated upon an intruder
> already having write access to the file system... a situation I think most
> would agree as being catastrophic to the integrity of the host, "safe_mode"
> or no "safe_mode".
Well, two changes do occur.
1. User could obtain the uid of the webserver. (nobody access)
In a decent configured hosting machine, the impact would be minor.
And *all* hosting machines are configured decently, right? (:
2. An ISP only giving out ftp access for users to upload new webpages
could find themselves confronted with users with shell access.
> Is it a bug? Sure. Is it worthy of a Bugtraq posting? Barely.
Hmm, at least i should have cut it a bit. True.
The one Good Thing that came out of the bugtraq posting was that the PHP
team actually picked the issue up from the list and are fixing it.
Before that i mailed them and posted it on the php bug list, little response.
[heavy cutting]
Kind Regards,
Joost Pol
--
Joost Pol alias 'Nohican' <joost@contempt.nl> PGP 584619BD
PGP fingerprint B1FA EE66 CFAA A492 D5F8 9A8A 0CDA 5846 19BD
Laboratoire Contempt - Tel +31-6-28887995 Fax: +31-70-3873625
