Joost Pol wrote:

> 2. PHP Version 4.0.5/4.0.4pl1 SOMETIMES breaks safe_mode.
>
> 2.0 - Description of the problem
>
> PHP safe_mode has the nice feature of disallowing the opening/reading
> and writing to files that are not owned by the uid that the script
> is owned by.
>
> Though using some "common sense" it still is possible to open/read
> and write to files that are owned by the uid the webserver is
> running as.
>
> *notice* assuming that something like suexec is not in place */notice*
>
> An attacker could upload a simple script that does the following:
>
> <?
> $cmd = '<? showsource($foo); ?>';
> error_log($cmd,3,"/path/to/user/wwwspace/nobody.php");
> ?>
>
> For example, assuming that the error_log is owned by the webserver it
> could be read using a simple query:
>
> http://foo.bar/~user/nobody.php?foo=/path/to/webserver/logs/access_log
>
> 2.1 - Impact
>
> Depends on the setup of the hosting box.
>
> If suexec or something similiar is used, impact is nihil.
>
> See also 1.1.1/1.1.2
>
> 2.3 - Solution
>
> Disallow the changing of the error_log location in safe_mode?
>
> Not really for me to say, the PHP-team will come with something good.
>
> Notice: just changing the error_log function wont do, you could also
> change the ini setting error_log (or another ini setting
> that has a similiar effect).
>
> These ini settings can be set from a user script since they
> all have PHP_INI_ALL perimissions.
>
> Maybe disallow setting of ini variables in safemode?

I think safe_mode should always be used with open_basedir directive in
order to limit user filesystem access.
As error_log is limited by open_basedir, suexec is not needed to have a
secure system as long as open_basedir is correctly set.

I see nothing wrong allowing user to use error_log.
I don't think PHP-team should change the error-log function.

-- 
Laurent Papier - Admin. systeme
Sdv Plurimedia - <http://www.sdv.fr>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]