Re: [PHP-DEV] Re: Pretty mammoth security issue with safe_mode_exec From: Adam Wright (adam <email protected>)
Date: 01/05/01

Ah. It's been a hard one to work out if its real or not due to our webserver
configuration. I'll do a little more testing, and hopefully patch it
sometime soon if I can convince myself of its reality :)

adamw

----- Original Message -----
From: "Zeev Suraski" <zeev <email protected>>
To: "Adam Wright" <adam <email protected>>
Cc: <php-dev <email protected>>
Sent: Friday, January 05, 2001 1:56 PM
Subject: [PHP-DEV] Re: Pretty mammoth security issue with safe_mode_exec

> Oh, well, actually I was too quick to respond - ".\" is indeed an invalid
> escape, but PHP treats it as ".\\", and not just ".".
>
> I just checked, shells indeed accept \.\. as if it was "..", so the bug is
> legit. If anybody attempts to fix it - note that \.. and .\. are also
> possible.
>
> Zeev
>
> At 14:56 5/1/2001, Adam Wright wrote:
> >Not to be annoying (well, not entirely), but if \. is parsed out at the
> >lexical level, why does...
> >
> ><?
> >
> >if ("\." == ".")
> > print "Same";
> >else
> > print "Different";
> >
> >echo "Different"?
> >
> >adamw
> >
> >----- Original Message -----
> >From: "Zeev Suraski" <zeev <email protected>>
> >To: "Adam Wright" <adam <email protected>>
> >Cc: "PHP Development" <php-dev <email protected>>
> >Sent: Friday, January 05, 2001 12:42 PM
> >Subject: Re: Pretty mammoth security issue with safe_mode_exec
> >
> >
> > > At 14:11 5/1/2001, Adam Wright wrote:
> > > >If you have safe mode enabled, and have a safe mode exec directory,
> >here's
> > > >how you can execute binarys outside of your safe mode exec directory!
> > > >
> > > >Normally...
> > > >
> > > >system("../../../../../bin/cp blah blip");
> > > >
> > > >would fail (as .. is blocked in _Exec (standard/exec.c)
> > > >
> > > >However...
> > > >
> > > >system("\.\./\.\./\.\./\.\./\.\./bin/cp blah blip");
> > > >
> > > >will work fine! This is because the .. check was performed before the
> > > >php_escape_shell_cmd in exec.c!
> > >
> > > That's very very odd, because as far as system() (or any function for
that
> > > matter) is concerned, ".." and "\.\." is exactly the same thing. At
the
> > > scanner level, all the way down in the Zend Engine, it converts the
bogus
> > > "\.\." string (which has illegal escapes) to "..".
> > >
> > > Are you sure this is the symptom exactly?
> > >
> > > Zeev
> > >
> > >
> > > --
> > > Zeev Suraski <zeev <email protected>>
> > > CTO & co-founder, Zend Technologies Ltd. http://www.zend.com/
> > >
> > >
>
> --
> Zeev Suraski <zeev <email protected>>
> CTO & co-founder, Zend Technologies Ltd. http://www.zend.com/
>
>
> --
> PHP Development Mailing List <http://www.php.net/>
> To unsubscribe, e-mail: php-dev-unsubscribe <email protected>
> For additional commands, e-mail: php-dev-help <email protected>
> To contact the list administrators, e-mail: php-list-admin <email protected>
>
> 

-- 
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: php-dev-unsubscribe <email protected>
For additional commands, e-mail: php-dev-help <email protected>
To contact the list administrators, e-mail: php-list-admin <email protected>