PHPBuilder.com, the best resource for PHP tutorials, templates, PHP manuals, content management systems, scripts, classes and more.

Linux Today
Enterprise Linux Today
Apache Today
JustLinux.com
Linux Planet
PHPBuilder
All Linux Devices
Hiermenus
DatabaseJournal
Technology Jobs

IT
Developer
Internet News
Small Business
Personal Technology
International

Search internet.com
Advertise
Corporate Info
Newsletters
Tech Jobs
E-mail Offers

Covalent Extends Apache 2.0 to Microsoft ASP.NET
ShopWorX - Support for Windows
PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and 4.2.1
Network Risk Assessment
Full-Featured, Java-Based Apache GUI

Partners & Affiliates

Storing Binary Data In a DB
PHP, XML, XSL, XPATH and Web Services
Cached Dynamic Modules
Spell Checking and URL Tricks
In Case You Missed It...The Week of April 24, 2006

[PHP-DEV] Re: Pretty mammoth security issue with safe_mode_exec From: Zeev Suraski (zeev <email protected>)
Date: 01/05/01

Next message: Zeev Suraski: "Re: [PHP-DEV] Re: 4.0.4pl1 RC1 rolled"
Previous message: Andre Christ: "RE: [PHP-DEV] web-based access to Zend & TSRM CVS"
In reply to: Adam Wright: "[PHP-DEV] Pretty mammoth security issue with safe_mode_exec"
Next in thread: Adam Wright: "Re: [PHP-DEV] Re: Pretty mammoth security issue with safe_mode_exec"
Reply: Adam Wright: "Re: [PHP-DEV] Re: Pretty mammoth security issue with safe_mode_exec"
Reply: Adam Wright: "[PHP-DEV] Re: Pretty mammoth security issue with safe_mode_exec"
Maybe reply: Zeev Suraski: "[PHP-DEV] Re: Pretty mammoth security issue with safe_mode_exec"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

At 14:11 5/1/2001, Adam Wright wrote:
>If you have safe mode enabled, and have a safe mode exec directory, here's
>how you can execute binarys outside of your safe mode exec directory!
>
>Normally...
>
>system("../../../../../bin/cp blah blip");
>
>would fail (as .. is blocked in _Exec (standard/exec.c)
>
>However...
>
>system("\.\./\.\./\.\./\.\./\.\./bin/cp blah blip");
>
>will work fine! This is because the .. check was performed before the
>php_escape_shell_cmd in exec.c!

That's very very odd, because as far as system() (or any function for that
matter) is concerned, ".." and "\.\." is exactly the same thing. At the
scanner level, all the way down in the Zend Engine, it converts the bogus
"\.\." string (which has illegal escapes) to "..".

Are you sure this is the symptom exactly?

Zeev

--
Zeev Suraski <zeev <email protected>>
CTO &  co-founder, Zend Technologies Ltd. http://www.zend.com/
-- 
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: php-dev-unsubscribe <email protected>
For additional commands, e-mail: php-dev-help <email protected>
To contact the list administrators, e-mail: php-list-admin <email protected>

Next message: Zeev Suraski: "Re: [PHP-DEV] Re: 4.0.4pl1 RC1 rolled"
Previous message: Andre Christ: "RE: [PHP-DEV] web-based access to Zend & TSRM CVS"
In reply to: Adam Wright: "[PHP-DEV] Pretty mammoth security issue with safe_mode_exec"
Next in thread: Adam Wright: "Re: [PHP-DEV] Re: Pretty mammoth security issue with safe_mode_exec"
Reply: Adam Wright: "Re: [PHP-DEV] Re: Pretty mammoth security issue with safe_mode_exec"
Reply: Adam Wright: "[PHP-DEV] Re: Pretty mammoth security issue with safe_mode_exec"
Maybe reply: Zeev Suraski: "[PHP-DEV] Re: Pretty mammoth security issue with safe_mode_exec"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]