This is not really an advisory, but a warning for sysadmins running webservers with PHP. I noticed that it was possible to rebuild the user database (Unix) even when safe_mode prevented from reading /etc/passwd and open_basedir prevented from accessing /etc. The implementation of getpw{uid,nam} functions (and their groups equivalent) in PHP do not check values for safe_mode and open_basedir letting a user rebuild a complete /etc/passwd file. There was no implementation of getpwent() so the user has to loop on all possible uid's but in some environnements, it can cause some problems. For more informations, I have posted a bug report and a script showing the problem: http://bugs.php.net/bug.php?id=16733 I hope that can prevent some problems on your servers ;) Anyways, a quick fix would be to disable posix_* functions that deal with the user database. Sysadmin @ Skreel.org && Kheos.net
This archive was generated by hypermail 2b30 : Mon Apr 22 2002 - 22:07:20 PDT