On Sat, 30 Jun 2001, Joost Pol wrote: > Subject : PHP safe_mode troubles. [many snips throughout] > An attacker could easily upload a simple evil.php script containing: > <? mail("foo@bar,"foo","bar","",$bar); ?> If an intruder can upload PHP code, what's to stop them from uploading an even meaner bit-o-code? In some other language? There is something fundamentally flawed in the logic of claiming safe_mode as "broken" if the means to abuse that flaw is predicated upon an intruder already having write access to the file system... a situation I think most would agree as being catastrophic to the integrity of the host, "safe_mode" or no "safe_mode". Is it a bug? Sure. Is it worthy of a Bugtraq posting? Barely. > A customer has bougt some web space from a provider and is given only > ftp access to upload his files. The customer is not supposed to have > shell access nor view files outside of his home directory. > > The customer could easily upload and compile a "lite" version of the > popular netcat tool (cd /usr/ports/*/netcat;make clean;make&&make > install) and spawn him self a remote shell on the hosting boxen. Or install a C/Perl/Tcl/sh/ etc etc shell emulating CGI to do the same thing. If the person has write access to the file system there is very little that will stop them from being able to execute shell commands, install and run netcat, or any of a myriad of other privilege escalation or "local root" attacks. > An attacker could upload a simple script that does the following: Once again, your attack is predicated upon a malicious intruder having write access to the file system. Once that level of access has been obtained, you are already at the intruders mercy. Anything else the intruder finds on the file system, including a minor bug in PHP, is pure gravy. __ http://www.thewebmasters.net/ "Well, I'll fetch a spammer, you fetch an iMac, some baby oil, and some burly mechanics to assist with the insertion, and we'll Advance Science!" -- Patrick Wade in the Monastery
This archive was generated by hypermail 2b30 : Tue Jul 03 2001 - 11:28:04 PDT