php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Doc Bug #32421 Execution functions bypass safe_mode configurations
Submitted: 2005-03-23 01:10 UTC Modified: 2005-03-31 16:38 UTC
Votes:2
Avg. Score:5.0 ± 0.0
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:2 (100.0%)
From: ricardi at gmail dot com Assigned:
Status: Closed Package: Documentation problem
PHP Version: 4.3.10 OS: *nix (Tested on Linux)
Private report: No CVE-ID: None
View Developer Edit
 [2005-03-23 01:10 UTC] ricardi at gmail dot com 
Description:
------------
We bypass the safe_mode restrictions using binary with "system" function built-in. The problem occurs when we had an incident in a mass virtualhost machine. One of the domains, execute a script that bypass the safe_mode restrictions like open_base_dir and safe_mode_exec_dir. 

The configurations in the virtualhost was like:

<VirtualHost *>
ServerName www.something.com
ServerPath /mnt/nfs/domains/something.com.br/www
php_admin_value open_basedir /mnt/nfs/domains/something.com.br/
php_admin_value upload_tmp_dir /mnt/nfs/domains/something.com.br/
php_admin_value safe_mode_include_dir /mnt/nfs/domains/something.com.br/
php_admin_value safe_mode_exec_dir /mnt/nfs/domains/something.com.br/
...

</VirtualHost>

We create a simple program in "C" that create a file outside the open_basedir and execute a binary that isn't in the safe_mode_exec_dir:
/* ---------------
Contents of file.c 
 ---------------- */

#include <stdio.h>

int main() {
        system("find / -maxdepth 1 > /tmp/trash.txt");
        return 0;
}

Compiling: gcc -o file file.c

With an ftp access, we put the file in the safe_mode_exec_dir:

> ls -la mnt/nfs/domains/something.com.br/
-rwxr-xr-x    1 nfsnobod nfsnobod    13576 Mar 22 16:57 file

Now create a php script that calls the binary.

<?php
system("file");
?>

Then put this on the webroot and after accessing the script with http://www.something.com.br/script.php, check the /tmp:

> ls -la /tmp
-rw-r--r--    1 nfsnobody     nfsnobody          139 Mar 22 21:00 trash.txt

We had to disable the execution feature from our product.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-03-23 08:23 UTC] tony2001@php.net 
Disable system() and other exec functions then.
PHP is unable to prevent you to shoot your leg or to format harddrive with a binary called by a binary.
 [2005-03-23 16:38 UTC] ricardi at gmail dot com 
The PHP engine can't not control de children created by the exec functions? This could be a great security enhancement, since that some php applications are suffering from xploits that use this technic. I've already disable this functions now, but our clients are unhappy with this limitations.
 [2005-03-23 16:41 UTC] tony2001@php.net 
>The PHP engine can't not control de children created by the 
>exec functions?

exactly.
and nobody can.
 [2005-03-24 00:21 UTC] ricardi at gmail dot com 
Ok. So, even knowing this, there is no banner with a warning about this problem? Please, just to close this "bug", put this warning when talking about safe_mode_exec_dir. When you are using PHP in a Hosting Provider with thousand domains, the banner CERTAINLY would be helpfull. I've almost had 12000 defaces because I didn't be advised about sefa_mode_exec_dir bypass. Please, think about it! 

Thank you!
 [2005-03-26 15:01 UTC] derick@php.net 
Warning should go to the docs... (if it's not there yet)
 [2005-03-28 04:49 UTC] ricardi at gmail dot com 
Thank you. Please, the banner could be placed at this chapter:
Chapter 42. Safe Mode

Under the section: 
safe_mode_exec_dir 

I think that the problem is big enough to receive a big warning too. 

Others chapters like:
IV. Security
XXXI. Program Execution Functions
... could be helpfull too.

The banner contents would be something like:

"The PHP Engine (and nobody) can't take care of your children. Not trusteds binaries can be dangerous to your system. In Mass VirtualHost machines, we suggest to disable exec functions".

Thanks again!
 [2005-03-31 16:38 UTC] vrana@php.net 
This bug has been fixed in the documentation's XML sources. Since the
online and downloadable versions of the documentation need some time
to get updated, we would like to ask you to be a bit patient.

Thank you for the report, and for helping us make our documentation better.

"These PHP rectrictions are not valid in executed binaries, of course."
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Sun Nov 02 08:00:02 2025 UTC