php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #49026 proc_open() can bypass safe_mode_protected_env_vars restrictions
Submitted: 2009-07-23 08:36 UTC Modified: 2009-07-26 15:14 UTC
From: virus at tgu dot ru Assigned:
Status: Closed Package: Safe Mode/open_basedir
PHP Version: 5.2.10 OS: FreeBSD
Private report: No CVE-ID:
 [2009-07-23 08:36 UTC] virus at tgu dot ru
Description:
------------
Environment variables specified for proc_open passed without check so safe_mode_allowed_env_vars and safe_mode_protected_env_vars settings are ignored.
So it become possible to use buffer overflow exploit with "LD_PRELOAD=evil_library.so" to bypass safe_mode restrictions and get access to any files acessible for apache uid.

In php.ini:
safe_mode = On
safe_mode_gid = On
safe_mode_include_dir =
safe_mode_exec_dir = /usr/bin/safe
safe_mode_allowed_env_vars = PHP_
safe_mode_protected_env_vars = LD_LIBRARY_PATH


Reproduce code:
---------------
<?
putenv("BLAHBLAH=123");
putenv("LD_LIBRARY_PATH=/no/way");
putenv("PHP_TESTVAR=allowed");
$env = array('BLAHBLAH' => '123', 'LD_LIBRARY_PATH' => '/no/way', 'PHP_TESTVAR' => 'allowed');
$dptspec = array(0 => array("pipe", "r"),
                 1 => array("pipe", "w"));
$fp = proc_open('env', $dptspec, $pipes, './', $env);
echo "<pre>";
while(!feof($pipes[1])) echo fgets($pipes[1], 1024);
fclose($pipes[1]);
echo "</pre>";
?>

Expected result:
----------------
Warning: putenv() [function.putenv]: Safe Mode warning: Cannot set environment variable 'BLAHBLAH' - it's not in the allowed list in /my/path/test.php on line 2

Warning: putenv() [function.putenv]: Safe Mode warning: Cannot override protected environment variable 'LD_LIBRARY_PATH' in /my/path/test.php on line 3

PHP_TESTVAR=allowed
PWD=/my/path

Actual result:
--------------
Warning: putenv() [function.putenv]: Safe Mode warning: Cannot set environment variable 'BLAHBLAH' - it's not in the allowed list in /my/path/test.php on line 2

Warning: putenv() [function.putenv]: Safe Mode warning: Cannot override protected environment variable 'LD_LIBRARY_PATH' in /my/path/test.php on line 3

LD_LIBRARY_PATH=/no/way
PHP_TESTVAR=allowed
BLAHBLAH=123
PWD=/my/path

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-07-23 09:10 UTC] virus at tgu dot ru
I think $env parameter of proc_open() should be disabled in safe_mode.
 [2009-07-26 15:14 UTC] svn@php.net
Automatic comment from SVN on behalf of iliaa
Revision: http://svn.php.net/viewvc/?view=revision&revision=286360
Log: Fixed bug #49026 (proc_open() can bypass safe_mode_protected_env_vars
restrictions).
 [2009-07-26 15:14 UTC] iliaa@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Fri Apr 18 07:02:29 2014 UTC