|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #43660 null value in safe_mode_exec_dir still executes program in root dir
Submitted: 2007-12-23 02:47 UTC Modified: 2008-01-29 00:04 UTC
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (100.0%)
From: greg at gguldens dot org Assigned:
Status: Not a bug Package: Safe Mode/open_basedir
PHP Version: 5.2.5 OS: Centos 5
Private report: No CVE-ID: None
 [2007-12-23 02:47 UTC] greg at gguldens dot org
Using popen to execute a program such as /usr/lib/sendmail when running PHP in safe mode and with the safe_mode_exec_dir directive being null, PHP still attempts to execute the named program in the root directory.  I believe this has the potential to be exploited as a hacking mechanism if the behavior is not changed.

Reproduce code:
use popen in safe mode to try and execute /usr/lib/sendmail.  PHP will return a 127 error.  If, however, you put a symbolic link named sendmail in the root directory that points to /usr/lib/sendmail, PHP will execute the program perfectly.

Expected result:
If the safe_mode_exec_dir directive in the PHP.ini file has a null value, then it would seem proper to not allow PHP to execute any program via a popen.  Only if there is a value associated with the safe_mode_exec_dir directive should PHP actually execute a program.

As an additional suggestion, the safe_mode_exec_dir directive could be defaulted to some directory such as "/usr/php_safe_exec" where users could place links to programs outside the safe exec directory.  This would seem to be a much more secure solution than encouraging a user to place /usr/lib, /usr/bin, /use/sbin, or other directory that may contain executables that could be used to compromise the system if an entire pre-populated system directory was placed into this directive.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2008-01-29 00:04 UTC]
>If, however, you put a symbolic link named sendmail in the root 
>directory that points to /usr/lib/sendmail, PHP will execute
>the program perfectly.

Setting an empty value to safe_mode_exec_dir and creating a symlink in root requires administrative privileges, which means you need to think what you're doing and PHP can't fix your mistakes.
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Mon Aug 26 01:01:26 2019 UTC