|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2002-04-25 00:30 UTC] veins at skreel dot org
[2002-05-20 11:29 UTC] mfischer@php.net
|
|||||||||||||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Tue Apr 16 07:01:29 2024 UTC |
I noticed that many of the posix_* functions DO NOT check wether safe_mode or open_basedir restrict access to the user database thus allowing a user to rebuild a complete /etc/passwd without permissions to read /etc/passwd or access the /etc directory. This is dangerous in some cases where login are kept secret as it allows a user to know what accounts have what privileges and what accounts have access to a shell or not. For now there is only one thing to do, disable these functions but i'm pretty sure that adding checks to see values of safe_mode and/or open_basedir would be a nice thing to do. Here's a script that rebuilds /etc/passwd when safe_mode is enabled and open_basedir is set to the user homedirectory: <? for ($i = 0; $i < 60000; $i++) { if (($tab = @posix_getpwuid($i)) != NULL) { echo $tab['name'].":"; echo $tab['passwd'].":"; echo $tab['uid'].":"; echo $tab['gid'].":"; echo $tab['gecos'].":"; echo $tab['dir'].":"; echo $tab['shell']."<br>"; } } ?> On a very large system, if an execution time is set, this will not end up, but hopefully the posix_getpwent() function is missing so the user has to go through all possible uid's.