php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #19363 PHP safe mode security problem
Submitted: 2002-09-11 18:57 UTC Modified: 2002-11-13 01:00 UTC
Votes:2
Avg. Score:5.0 ± 0.0
Reproduced:2 of 2 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: dados at impazz dot it Assigned:
Status: No Feedback Package: Filesystem function related
PHP Version: 4.2.2 OS: Linux 2.4.2-2smp
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: dados at impazz dot it
New email:
PHP Version: OS:

 

 [2002-09-11 18:57 UTC] dados at impazz dot it
Hello, using apache 1.3.26, I have safe mode on

I have a simple single-line script: safemode.php

<?print_r($fp = fopen('newsletter.html', 'r'));?>

safemode is owned by wbr:wbr and newsletter.html is owned
by root:root as you can see

-rw-r--r--    1 root     root        22161 Sep 12 00:17 newsletter.html
-rw-r--r--    1 wbr      wbr            43 Sep 12 01:24 safemode.php

safemode.php execution simply return 'Resource id #1' without errors related to safe mode, even if the owner of the files is not the same

If I change the owner of safemode.php
$ chown nobody:nobody safemode.php
and reload safemode.php I get the expected warning:

Warning: SAFE MODE Restriction in effect. The script whose uid is 99 is not allowed to access newsletter.html owned by uid 

If I change the user back to wbr:wbr --> No warning

Helpful info:

$ cat /etc/passwd |grep wbr
wbr:x:501:501::/www/wbr:/bin/bash

$ cat /usr/local/lib/php.ini |grep safe_mode |grep -v "^;"
safe_mode = On
safe_mode_gid = Off
safe_mode_include_dir = "/usr/local/lib/php"
safe_mode_exec_dir =
safe_mode_allowed_env_vars = PHP_
safe_mode_protected_env_vars = LD_LIBRARY_PATH
sql.safe_mode = Off

Hope can help
Thanks a lot

Edoardo Serra

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-09-11 19:52 UTC] dados at impazz dot it
Upgraded to php 4.3.3 --> still having the same problem
 [2002-10-28 10:56 UTC] iliaa@php.net
Please try using this CVS snapshot:

  http://snaps.php.net/php4-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php4-win32-latest.zip


 [2002-11-13 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over 2 weeks, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Oct 14 18:01:28 2024 UTC