HOME Community Articles Code Library People Mail Archive My Account Contribute PHP Jobs

Open Source Database Feature Comparison Matrix Try Declarative Programming with Annotations and Aspects Locate All Stored Procedures and Their Objects/SQL Tables Building a Stored Procedure Generator Making Tables Read-only in Oracle

24-hour Support Daily Backup Dedicated Servers JSP/Java Servlets PHP MySQL Streaming Audio/Video Telnet/SSH Unix Hosting 24-hour Support

From: Zeev Suraski (zeev <email protected>)
Date: 01/05/01

• Next message: Adam Wright: "Re: [PHP-DEV] Re: Pretty mammoth security issue with safe_mode_exec"
• Previous message: Adam Wright: "Re: [PHP-DEV] Pretty mammoth security issue with safe_mode_exec"
• Next in thread: Adam Wright: "Re: [PHP-DEV] Re: Pretty mammoth security issue with safe_mode_exec"
• Reply: Adam Wright: "Re: [PHP-DEV] Re: Pretty mammoth security issue with safe_mode_exec"
• Reply: Stanislav Malyshev: "Re: [PHP-DEV] Re: Pretty mammoth security issue with safe_mode_exec"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Oh, well, actually I was too quick to respond - ".\" is indeed an invalid
escape, but PHP treats it as ".\\", and not just ".".

I just checked, shells indeed accept \.\. as if it was "..", so the bug is
legit. If anybody attempts to fix it - note that \.. and .\. are also
possible.

Zeev

At 14:56 5/1/2001, Adam Wright wrote:
>Not to be annoying (well, not entirely), but if \. is parsed out at the
>lexical level, why does...
>
><?
>
>if ("\." == ".")
> print "Same";
>else
> print "Different";
>
>echo "Different"?
>
>adamw
>
>----- Original Message -----
>From: "Zeev Suraski" <zeev <email protected>>
>To: "Adam Wright" <adam <email protected>>
>Cc: "PHP Development" <php-dev <email protected>>
>Sent: Friday, January 05, 2001 12:42 PM
>Subject: Re: Pretty mammoth security issue with safe_mode_exec
>
>
> > At 14:11 5/1/2001, Adam Wright wrote:
> > >If you have safe mode enabled, and have a safe mode exec directory,
>here's
> > >how you can execute binarys outside of your safe mode exec directory!
> > >
> > >Normally...
> > >
> > >system("../../../../../bin/cp blah blip");
> > >
> > >would fail (as .. is blocked in _Exec (standard/exec.c)
> > >
> > >However...
> > >
> > >system("\.\./\.\./\.\./\.\./\.\./bin/cp blah blip");
> > >
> > >will work fine! This is because the .. check was performed before the
> > >php_escape_shell_cmd in exec.c!
> >
> > That's very very odd, because as far as system() (or any function for that
> > matter) is concerned, ".." and "\.\." is exactly the same thing. At the
> > scanner level, all the way down in the Zend Engine, it converts the bogus
> > "\.\." string (which has illegal escapes) to "..".
> >
> > Are you sure this is the symptom exactly?
> >
> > Zeev
> >
> >
> > --
> > Zeev Suraski <zeev <email protected>>
> > CTO & co-founder, Zend Technologies Ltd. http://www.zend.com/
> >
> >

--
Zeev Suraski <zeev <email protected>>
CTO &  co-founder, Zend Technologies Ltd. http://www.zend.com/
-- 
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: php-dev-unsubscribe <email protected>
For additional commands, e-mail: php-dev-help <email protected>
To contact the list administrators, e-mail: php-list-admin <email protected>

• Next message: Adam Wright: "Re: [PHP-DEV] Re: Pretty mammoth security issue with safe_mode_exec"
• Previous message: Adam Wright: "Re: [PHP-DEV] Pretty mammoth security issue with safe_mode_exec"
• Next in thread: Adam Wright: "Re: [PHP-DEV] Re: Pretty mammoth security issue with safe_mode_exec"
• Reply: Adam Wright: "Re: [PHP-DEV] Re: Pretty mammoth security issue with safe_mode_exec"
• Reply: Stanislav Malyshev: "Re: [PHP-DEV] Re: Pretty mammoth security issue with safe_mode_exec"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]