Re: [BUGTRAQ] php breaks safe mode

From: Joe Harris (cdiat_private)
Date: Mon Jul 02 2001 - 15:12:43 PDT

Next message: Joost Pol: "Re: [BUGTRAQ] php breaks safe mode"

Previous message: Toby DiPasquale: "Re: Solaris mailtool exploit"
Next in thread: Joost Pol: "Re: [BUGTRAQ] php breaks safe mode"
Reply: Joost Pol: "Re: [BUGTRAQ] php breaks safe mode"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, 30 Jun 2001, Joost Pol wrote:

> Subject  : PHP safe_mode troubles. 

[many snips throughout]

>   An attacker could easily upload a simple evil.php script containing:
>   <? mail("foo@bar,"foo","bar","",$bar); ?> 

If an intruder can upload PHP code, what's to stop them from uploading an
even meaner bit-o-code? In some other language?

There is something fundamentally flawed in the logic of claiming safe_mode
as "broken" if the means to abuse that flaw is predicated upon an intruder
already having write access to the file system... a situation I think most
would agree as being catastrophic to the integrity of the host, "safe_mode"
or no "safe_mode".

Is it a bug? Sure. Is it worthy of a Bugtraq posting? Barely.

>     A customer has bougt some web space from a provider and is given only
>     ftp access to upload his files. The customer is not supposed to have
>     shell access nor view files outside of his home directory.
> 
>     The customer could easily upload and compile a "lite" version of the
>     popular netcat tool (cd /usr/ports/*/netcat;make clean;make&&make
>     install) and spawn him self a remote shell on the hosting boxen.

Or install a C/Perl/Tcl/sh/ etc etc shell emulating CGI to do the same
thing. If the person has write access to the file system there is very
little that will stop them from being able to execute shell commands,
install and run netcat, or any of a myriad of other privilege escalation or
"local root" attacks.

>   An attacker could upload a simple script that does the following:

Once again, your attack is predicated upon a malicious intruder having write
access to the file system. Once that level of access has been obtained, you
are already at the intruders mercy.

Anything else the intruder finds on the file system, including a minor bug
in PHP, is pure gravy.

__ 
http://www.thewebmasters.net/
"Well, I'll fetch a spammer, you fetch an iMac, some baby oil, and some
burly mechanics to assist with the insertion, and we'll Advance Science!"
                                      -- Patrick Wade in the Monastery

Next message: Joost Pol: "Re: [BUGTRAQ] php breaks safe mode"
Previous message: Toby DiPasquale: "Re: Solaris mailtool exploit"
Next in thread: Joost Pol: "Re: [BUGTRAQ] php breaks safe mode"
Reply: Joost Pol: "Re: [BUGTRAQ] php breaks safe mode"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jul 03 2001 - 11:28:04 PDT