PHP :: Bug #46831 :: safe mode bypass in readdir(), realpath()

Bug #46831

safe mode bypass in readdir(), realpath()

Submitted:

2008-12-11 04:36 UTC

Modified:

2008-12-24 01:00 UTC

Votes:	3
Avg. Score:	2.3 ± 0.9
Reproduced:	0 of 1 (0.0%)

From:

cmos_clr at hotmail dot com

Assigned:

Status:

No Feedback

Package:

Safe Mode/open_basedir

PHP Version:

5.2CVS-2008-12-11 (snap)

OS:

linux

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	cmos_clr at hotmail dot com
New email:
PHP Version:		OS:

New Comment:

[2008-12-11 04:36 UTC] cmos_clr at hotmail dot com

Description:
------------
::_::_::_::_::_::_::_::_::_::_::::_::_::_::_::_::_::_::_::_::_::::_::_::_::_::_::_::_::_::_::_::_:: 
::
::Found by  :  CmOs_CLR & hard_hakerz
::
::MAILS     :  CmOs_CLR@hotmail.com & hard_hakerz@hotmail.com
::
::SITE      :  wwW.SEC4EVER.coM
::
::-----------ABOUT Software:---------------- 
::
::VERSION   : PHP 5.2.6
::
::Vendor    : http://www.php.net
::
::------------------------------------------
::
::
::Responsible Functions : readdir() , realpath()
::
::WHERE IS THE PROBLEM ?
::
::IN SERVERS WITH SAFE MODE ON AND * getmyuid() * DISABLED WE CAN   ::BYPASS THIS.
::
::FIRST THIS ERROR WILL RESULT : getmyuid() has been disabled for ::security reasons.
::
::FOR readdir() :
::
::  
::  <?php
::  if ($handle = opendir('.')) {
::      while (false !== ($file = readdir($handle))) {
::          if ($file != "." && $file != "..") {
::              echo "$file\n";
::          }
::      }
::      closedir($handle);
::  }
::  ?>
::
::for realpath() :
::
::
::  <?php
::  echo realpath('/etc/passwd');
::  ?>
::
::THE RESULTAT IS :
:: The script whose *uid is 100* is not allowed to access /etc/passwd ::owned by uid 0 in 
:: /home/*user*/domains/site.com/public_html/function.php on line xx
::
::NOTE : a lot of others function can result this error "getmyuid() ::bypass "  un attacker can take a lot of information from this 
::error. like is the safe mode activat from http.conf or php.ini? the ::user of a site who? = user of ftp this can simplify a ftpbrute ::forcing only the case of pass because the user is known ......etc 
::this error is getmyuid() bypass in disabled fuction .
::
::
::thanks+good luck
::
::
::

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2008-12-16 18:58 UTC] iliaa@php.net

Where is the security issue, you get an appropriate error about access 
denied it would seem, no?

[2008-12-24 01:00 UTC] php-bugs at lists dot php dot net

No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri Dec 27 01:01:28 2024 UTC