PHP problem

From: veins (veinsat_private)
Date: Mon Apr 22 2002 - 10:13:54 PDT

Next message: InterWN Labs: "Cross Site Scripting. Many Sites Vulnerable."

Previous message: Matthew Murphy: "Lil' HTTP Server Directory Traversal Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This is not really an advisory, but a warning for sysadmins running
webservers
with PHP. I noticed that it was possible to rebuild the user database (Unix)
even when safe_mode prevented from reading /etc/passwd and open_basedir
prevented from accessing /etc.
The implementation of getpw{uid,nam} functions (and their groups equivalent)
in PHP do not check values for safe_mode and open_basedir letting a user
rebuild a complete /etc/passwd file.
There was no implementation of getpwent() so the user has to loop on all
possible uid's but in some environnements, it can cause some problems.

For more informations, I have posted a bug report and a script showing
the problem:
     http://bugs.php.net/bug.php?id=16733

I hope that can prevent some problems on your servers  ;)
Anyways, a quick fix would be to disable posix_* functions that deal with
the user database.

Sysadmin @ Skreel.org && Kheos.net

Next message: InterWN Labs: "Cross Site Scripting. Many Sites Vulnerable."
Previous message: Matthew Murphy: "Lil' HTTP Server Directory Traversal Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Apr 22 2002 - 22:07:20 PDT