PHP :: Bug #43660 :: null value in safe_mode_exec_dir still executes program in root dir

Bug #43660

null value in safe_mode_exec_dir still executes program in root dir

Submitted:

2007-12-23 02:47 UTC

Modified:

2008-01-29 00:04 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	0 (0.0%)
Same OS:	1 (100.0%)

From:

greg at gguldens dot org

Assigned:

Status:

Not a bug

Package:

Safe Mode/open_basedir

PHP Version:

5.2.5

OS:

Centos 5

Private report:

CVE-ID:

None

View Developer Edit

[2007-12-23 02:47 UTC] greg at gguldens dot org

Description:
------------
Using popen to execute a program such as /usr/lib/sendmail when running PHP in safe mode and with the safe_mode_exec_dir directive being null, PHP still attempts to execute the named program in the root directory.  I believe this has the potential to be exploited as a hacking mechanism if the behavior is not changed.

Reproduce code:
---------------
use popen in safe mode to try and execute /usr/lib/sendmail.  PHP will return a 127 error.  If, however, you put a symbolic link named sendmail in the root directory that points to /usr/lib/sendmail, PHP will execute the program perfectly.

Expected result:
----------------
If the safe_mode_exec_dir directive in the PHP.ini file has a null value, then it would seem proper to not allow PHP to execute any program via a popen.  Only if there is a value associated with the safe_mode_exec_dir directive should PHP actually execute a program.

As an additional suggestion, the safe_mode_exec_dir directive could be defaulted to some directory such as "/usr/php_safe_exec" where users could place links to programs outside the safe exec directory.  This would seem to be a much more secure solution than encouraging a user to place /usr/lib, /usr/bin, /use/sbin, or other directory that may contain executables that could be used to compromise the system if an entire pre-populated system directory was placed into this directive.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2008-01-29 00:04 UTC] tony2001@php.net

>If, however, you put a symbolic link named sendmail in the root 
>directory that points to /usr/lib/sendmail, PHP will execute
>the program perfectly.

Setting an empty value to safe_mode_exec_dir and creating a symlink in root requires administrative privileges, which means you need to think what you're doing and PHP can't fix your mistakes.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Mon Oct 27 20:00:01 2025 UTC