[29664] in bugtraq
Re: @(#)Mordred Labs advisory - Integer overflow in PHP str_repeat() function
daemon@ATHENA.MIT.EDU (Jon Ribbens)
Fri Apr 4 17:24:26 2003
Date: Fri, 4 Apr 2003 21:20:13 +0100
From: Jon Ribbens <jon+bugtraq@unequivocal.co.uk>
To: bugtraq@securityfocus.com
Message-ID: <20030404212013.C20622@snowy.squish.net>
Mail-Followup-To: bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20030404104539.57060194.javi@isr.co.jp>; from javi@isr.co.jp on Fri, Apr 04, 2003 at 10:45:39AM -0900
Javi Lavandeira <javi@isr.co.jp> wrote:
> You seem to be forgetting about PHP's safe_mode, disable_functions
> and open_basedir directives. If configured properly, a user in a
> server with PHP support should not be able to execute commands, read
> other users' files or do anything outside his directory. Even though
> PHP is running with the privileges of the web server, the user
> doesn't have these privileges (again, if properly configured). Many
> ISPs configure PHP in this way.
>
> *IF* the overflow really exists *AND* is exploitable, I would be
> very worried, because *THEN* users could gain the privileges of the
> web server and do things they shouldn't be doing.
Then you should be very worried. Back in September 2000, Zeev Suraski
(PHP developer and co-author of Zend, the PHP4 scripting engine) said:
(http://marc.theaimsgroup.com/?l=php-dev&m=96815200329214)
> safe mode is indeed falsely advertised as being safe. It's very
> likely to contain bugs. As far as I'm concerned, it should be
> clearly advertised as something that would prevent the casual user
> from doing stuff he's not supposed to do, but isn't suitable for
> protecting against hackers.
