PHP :: Bug #12119 :: safe mode owner check can be bypassed with symlink

Bug #12119	safe mode owner check can be bypassed with symlink
Submitted:	2001-07-12 20:02 UTC	Modified:	2001-07-13 14:24 UTC
From:	jflemer at acm dot jhu dot edu	Assigned:	jflemer (profile)
Status:	Closed	Package:	Scripting Engine problem
PHP Version:	4.0.6	OS:	Solaris 8
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

[2001-07-12 20:02 UTC] jflemer at acm dot jhu dot edu

php_checkuid() [ main/safe_mode.c:46 ] first checks the ownership of the file you are trying to open against the ownership of the executing script.

if that check fails, it checks the ownership of the directory containing the file you are trying to open. the second part never calls VCWD_REALPATH() on the filename before trimming it to get the working directory. thus it is simple to bypass safe mode restrictions.

in a directory you own, create a symlink to say /etc/passwd then include that symlink in a file you own.

eg:
$ cd $HOME/public_html
$ ln -s /etc/passwd symlink
$ echo '<pre><?php include "symlink"; ?></pre>' > passwd.php

I have a patch (almost) prepared that calls VCWD_REALPATH() on the destination, then trims the filename in order to get directory permissions.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2001-07-13 14:24 UTC] jflemer@php.net

o Fixed Bug #12119: safe mode owner check can be bypassed with symlink
  - [ main/safe_mode.c ] use VCWD_REALPATH to resolve destination
    of symlink before trimming filename

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Apr 20 07:01:29 2024 UTC