php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #26375 Circumventing safe mode to extend file operations
Submitted: 2003-11-24 00:36 UTC Modified: 2014-04-17 14:28 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (100.0%)
From: php-online at cyberblue dot org dot uk Assigned:
Status: Wont fix Package: Safe Mode/open_basedir
PHP Version: 4.3.3 OS: Irrelevant
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2003-11-24 00:36 UTC] php-online at cyberblue dot org dot uk
Description:
------------
In safe mode the httpd process (apache uid) can create 
files/directories using a script in a 0777 directory 
both owned by the user (user uid). If the httpd tries 
to create files/dirs in a newly created directory then 
we will get the familiar warning:

<i>Warning:</i> <b>[File/Dir operation()]</b>: SAFE 
MODE Restriction in effect. The script whose uid is 
<b>user</b> is not allowed to access 
<b>[apache_owner_dir/file]</b> owned by uid <b>apache</
b>

The fact that httpd can create new files allows us to 
copy a script containing file (and other!) operations 
that can then be used to perform operations with a 
script owned by apache. eg: file_ops.php (user uid) --
copy--> hack_file_ops.php (apache uid). This would 
avoid the above warning.

Used in conjuction with the HTTP forwarding header [ie 
header( "Location: http://.../hack_file_ops.php");] 
this file can be called upon from normal scripts to 
perform operations on files/dirs owned by apache while 
in safe mode, thus circumventing its restrictions.

This is good to extend functionality when a hosting 
provider limits code execution by turning on safe mode. 
This means many ready made php packages can be modified 
to work (well, those that need to do lots of file/
directory manipulation :). It could also be used to 
play around with other entities owned by apache/www/
nobody/httpd uid. such as the davlocks/proxy 
directories...

It would make sense to allow a script access to a 0777 
directory whether it was in safe mode or not - 
certainly file manipulation within the web root should 
be allowed but for now this work around is ok, but 
hacky. The worrying part is it does allow a small 
security hole but its ramifications (for the most part) 
seem to be limited. If apache cannot access the davlock 
directory will it be happy?

laters, Andi 


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-04-17 14:28 UTC] levim@php.net
-Status: Open +Status: Wont fix -Package: Feature/Change Request +Package: Safe Mode/open_basedir -Operating System: MacOS/Redhat +Operating System: Irrelevant
 [2014-04-17 14:28 UTC] levim@php.net
This won't be fixed; safe mode was deprecated in PHP 5.3 and removed in PHP 5.4.
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Wed Dec 08 09:03:37 2021 UTC