PHPBuilder.com, the best resource for PHP tutorials, templates, PHP manuals, content management systems, scripts, classes and more.

Linux Today
Enterprise Linux Today
Apache Today
JustLinux.com
Linux Planet
PHPBuilder
All Linux Devices
Hiermenus
DatabaseJournal
Technology Jobs

IT
Developer
Internet News
Small Business
Personal Technology
International

Search internet.com
Advertise
Corporate Info
Newsletters
Tech Jobs
E-mail Offers

Covalent Extends Apache 2.0 to Microsoft ASP.NET
ShopWorX - Support for Windows
PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and 4.2.1
Network Risk Assessment
Full-Featured, Java-Based Apache GUI

Partners & Affiliates

Faking It - Simulated Database Queries
In Case You Missed It... The Week of June 27, 2005
In Case You Missed It...
BitMasks - Emulate Unix Permissions in PHP
MySQL Date and Time Functions, Part 2

[PHP-DEV] Pretty mammoth security issue with safe_mode_exec From: Adam Wright (adam <email protected>)
Date: 01/05/01

Next message: Cynic: "[PHP-DEV] web-based access to Zend & TSRM CVS"
Previous message: anonymous <email protected>: "[PHP-DEV] CVS Account Request"
Next in thread: Zeev Suraski: "[PHP-DEV] Re: Pretty mammoth security issue with safe_mode_exec"
Reply: Zeev Suraski: "[PHP-DEV] Re: Pretty mammoth security issue with safe_mode_exec"
Reply: Adam Wright: "Re: [PHP-DEV] Pretty mammoth security issue with safe_mode_exec"
Reply: Stanislav Malyshev: "Re: [PHP-DEV] Pretty mammoth security issue with safe_mode_exec"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

If you have safe mode enabled, and have a safe mode exec directory, here's
how you can execute binarys outside of your safe mode exec directory!

Normally...

system("../../../../../bin/cp blah blip");

would fail (as .. is blocked in _Exec (standard/exec.c)

However...

system("\.\./\.\./\.\./\.\./\.\./bin/cp blah blip");

will work fine! This is because the .. check was performed before the
php_escape_shell_cmd in exec.c!

--We fixed it, and our PHP *still* compiles :)

(untested patch for exec.c attached)

adamw
adam <email protected>

application/octet-stream attachment: php-4.0.4-system.patch

-- 
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: php-dev-unsubscribe <email protected>
For additional commands, e-mail: php-dev-help <email protected>
To contact the list administrators, e-mail: php-list-admin <email protected>

Next message: Cynic: "[PHP-DEV] web-based access to Zend & TSRM CVS"
Previous message: anonymous <email protected>: "[PHP-DEV] CVS Account Request"
Next in thread: Zeev Suraski: "[PHP-DEV] Re: Pretty mammoth security issue with safe_mode_exec"
Reply: Zeev Suraski: "[PHP-DEV] Re: Pretty mammoth security issue with safe_mode_exec"
Reply: Adam Wright: "Re: [PHP-DEV] Pretty mammoth security issue with safe_mode_exec"
Reply: Stanislav Malyshev: "Re: [PHP-DEV] Pretty mammoth security issue with safe_mode_exec"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]