PHP :: Bug #43660 :: null value in safe_mode_exec_dir still executes program in root dir

Bug #43660

null value in safe_mode_exec_dir still executes program in root dir

Submitted:

2007-12-23 02:47 UTC

Modified:

2008-01-29 00:04 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	0 (0.0%)
Same OS:	1 (100.0%)

From:

greg at gguldens dot org

Assigned:

Status:

Not a bug

Package:

Safe Mode/open_basedir

PHP Version:

5.2.5

OS:

Centos 5

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	greg at gguldens dot org
New email:
PHP Version:		OS:

New Comment:

[2007-12-23 02:47 UTC] greg at gguldens dot org

Description:
------------
Using popen to execute a program such as /usr/lib/sendmail when running PHP in safe mode and with the safe_mode_exec_dir directive being null, PHP still attempts to execute the named program in the root directory.  I believe this has the potential to be exploited as a hacking mechanism if the behavior is not changed.

Reproduce code:
---------------
use popen in safe mode to try and execute /usr/lib/sendmail.  PHP will return a 127 error.  If, however, you put a symbolic link named sendmail in the root directory that points to /usr/lib/sendmail, PHP will execute the program perfectly.

Expected result:
----------------
If the safe_mode_exec_dir directive in the PHP.ini file has a null value, then it would seem proper to not allow PHP to execute any program via a popen.  Only if there is a value associated with the safe_mode_exec_dir directive should PHP actually execute a program.

As an additional suggestion, the safe_mode_exec_dir directive could be defaulted to some directory such as "/usr/php_safe_exec" where users could place links to programs outside the safe exec directory.  This would seem to be a much more secure solution than encouraging a user to place /usr/lib, /usr/bin, /use/sbin, or other directory that may contain executables that could be used to compromise the system if an entire pre-populated system directory was placed into this directive.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2008-01-29 00:04 UTC] tony2001@php.net

>If, however, you put a symbolic link named sendmail in the root 
>directory that points to /usr/lib/sendmail, PHP will execute
>the program perfectly.

Setting an empty value to safe_mode_exec_dir and creating a symlink in root requires administrative privileges, which means you need to think what you're doing and PHP can't fix your mistakes.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sun Jul 13 02:01:32 2025 UTC