php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #49026 proc_open() can bypass safe_mode_protected_env_vars restrictions
Submitted: 2009-07-23 08:36 UTC Modified: 2009-07-26 15:14 UTC
From: virus at tgu dot ru Assigned:
Status: Closed Package: Safe Mode/open_basedir
PHP Version: 5.2.10 OS: FreeBSD
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: virus at tgu dot ru
New email:
PHP Version: OS:

 

 [2009-07-23 08:36 UTC] virus at tgu dot ru
Description:
------------
Environment variables specified for proc_open passed without check so safe_mode_allowed_env_vars and safe_mode_protected_env_vars settings are ignored.
So it become possible to use buffer overflow exploit with "LD_PRELOAD=evil_library.so" to bypass safe_mode restrictions and get access to any files acessible for apache uid.

In php.ini:
safe_mode = On
safe_mode_gid = On
safe_mode_include_dir =
safe_mode_exec_dir = /usr/bin/safe
safe_mode_allowed_env_vars = PHP_
safe_mode_protected_env_vars = LD_LIBRARY_PATH


Reproduce code:
---------------
<?
putenv("BLAHBLAH=123");
putenv("LD_LIBRARY_PATH=/no/way");
putenv("PHP_TESTVAR=allowed");
$env = array('BLAHBLAH' => '123', 'LD_LIBRARY_PATH' => '/no/way', 'PHP_TESTVAR' => 'allowed');
$dptspec = array(0 => array("pipe", "r"),
                 1 => array("pipe", "w"));
$fp = proc_open('env', $dptspec, $pipes, './', $env);
echo "<pre>";
while(!feof($pipes[1])) echo fgets($pipes[1], 1024);
fclose($pipes[1]);
echo "</pre>";
?>

Expected result:
----------------
Warning: putenv() [function.putenv]: Safe Mode warning: Cannot set environment variable 'BLAHBLAH' - it's not in the allowed list in /my/path/test.php on line 2

Warning: putenv() [function.putenv]: Safe Mode warning: Cannot override protected environment variable 'LD_LIBRARY_PATH' in /my/path/test.php on line 3

PHP_TESTVAR=allowed
PWD=/my/path

Actual result:
--------------
Warning: putenv() [function.putenv]: Safe Mode warning: Cannot set environment variable 'BLAHBLAH' - it's not in the allowed list in /my/path/test.php on line 2

Warning: putenv() [function.putenv]: Safe Mode warning: Cannot override protected environment variable 'LD_LIBRARY_PATH' in /my/path/test.php on line 3

LD_LIBRARY_PATH=/no/way
PHP_TESTVAR=allowed
BLAHBLAH=123
PWD=/my/path

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-07-23 09:10 UTC] virus at tgu dot ru
I think $env parameter of proc_open() should be disabled in safe_mode.
 [2009-07-26 15:14 UTC] svn@php.net
Automatic comment from SVN on behalf of iliaa
Revision: http://svn.php.net/viewvc/?view=revision&revision=286360
Log: Fixed bug #49026 (proc_open() can bypass safe_mode_protected_env_vars
restrictions).
 [2009-07-26 15:14 UTC] iliaa@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Oct 12 22:01:28 2024 UTC