Joost Pol wrote: > 2. PHP Version 4.0.5/4.0.4pl1 SOMETIMES breaks safe_mode. > > 2.0 - Description of the problem > > PHP safe_mode has the nice feature of disallowing the opening/reading > and writing to files that are not owned by the uid that the script > is owned by. > > Though using some "common sense" it still is possible to open/read > and write to files that are owned by the uid the webserver is > running as. > > *notice* assuming that something like suexec is not in place */notice* > > An attacker could upload a simple script that does the following: > > <? > $cmd = '<? showsource($foo); ?>'; > error_log($cmd,3,"/path/to/user/wwwspace/nobody.php"); > ?> > > For example, assuming that the error_log is owned by the webserver it > could be read using a simple query: > > http://foo.bar/~user/nobody.php?foo=/path/to/webserver/logs/access_log > > 2.1 - Impact > > Depends on the setup of the hosting box. > > If suexec or something similiar is used, impact is nihil. > > See also 1.1.1/1.1.2 > > 2.3 - Solution > > Disallow the changing of the error_log location in safe_mode? > > Not really for me to say, the PHP-team will come with something good. > > Notice: just changing the error_log function wont do, you could also > change the ini setting error_log (or another ini setting > that has a similiar effect). > > These ini settings can be set from a user script since they > all have PHP_INI_ALL perimissions. > > Maybe disallow setting of ini variables in safemode? I think safe_mode should always be used with open_basedir directive in order to limit user filesystem access. As error_log is limited by open_basedir, suexec is not needed to have a secure system as long as open_basedir is correctly set. I see nothing wrong allowing user to use error_log. I don't think PHP-team should change the error-log function. -- Laurent Papier - Admin. systeme Sdv Plurimedia - <http://www.sdv.fr>
This archive was generated by hypermail 2b30 : Mon Jul 02 2001 - 13:49:46 PDT