| Bug #45997 | safe_mode bypass | ||||
|---|---|---|---|---|---|
| Submitted: | 4 Sep 2008 7:03pm UTC | Modified: | 30 Apr 3:27pm UTC | ||
| From: | johannesdahse at gmx dot de | Assigned to: | pajoye | ||
| Status: | Closed | Category: | Safe Mode/open_basedir | ||
| Version: | 5.2.6 | OS: | win32 only | ||
| Votes: | 11 | Avg. Score: | 4.4 ± 1.4 | Reproduced: | 5 of 7 (71.4%) |
| Same Version: | 5 (100.0%) | Same OS: | 5 (100.0%) | ||
[30 Apr 3:27pm UTC] pajoye@php.net
This bug has been fixed in CVS. Snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. Thank you for the report, and for helping us make PHP better.
Description: ------------ safe_mode bypass with a preceding backslash. tested with exec(), system() and passthru(). on windows only. Sorry, I do feel this bug concerns a security issue but I got no response from security@php.net after sending 2 emails from 2 different accounts about 6 weeks ago. Reproduce code: --------------- on commandline: php -n -d safe_mode=on -r "exec('\ping 192.168.222.1');" with PHP script and enabled safe_mode in php.ini: <? exec('\ping 192.168.222.1'); ?> Expected result: ---------------- safe_mode turned on should block code execution from exec() and other functions. Actual result: -------------- By adding a backslash infront of the command the command got executed anyhow.