4639520 2000-01-04 19:45 /111 rader/ Postmaster
Mottagare: Bugtraq (import) <9138>
Ärende: PHP3 safe_mode and popen()
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: bugtraq@securityfocus.com
>Received: by white.koehntopp.de via sendmail with stdio i
<m125FKH-0002hiC@white.koehntopp.de> for bugtraq@securityfocus.com
Mon, 3 Jan 2000 22:47:41 +0100 (MET) (Smail-3.2 1996-Jul-4 #1 buil
1997-Jun-2)
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-ID: <20000103224740.16223@white.koehntopp.de>
Date: Mon, 3 Jan 2000 22:47:40 +0100
Reply-To: Kristian Koehntopp <kris@KOEHNTOPP.DE>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Kristian Koehntopp <kris@KOEHNTOPP.DE>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
PHP3 (http://www.php.net) is a scripting language used in many
webhosting setups. Often in hosting setups so called "safe_mode"
is enabled, which restricts the user in many ways. For example,
in safe_mode you are supposed to be able to execute only
programs from a safe_mode_exec_dir, if one is defined. Within
that directory there should be only a restricted command set
that is considered safe.
When safe_mode is enabled, PHP3 is supposed to apply
EscapeShellCmd() to each shell command to prevent the user from
breaking out of this directory. As it turns out, the popen()
function does not do this in safe_mode. I was able to set up a
web server with safe_mode enabled and a safe_mode_exec_dir
containing only "ls". I then wrote the following script:
<?php
$fp = popen("ls -l /opt/bin; /usr/bin/id", "r");
echo "$fp<br>\n";
while($line = fgets($fp, 1024)):
printf("%s<br>\n", $line);
endwhile;
pclose($fp);
phpinfo();
?>
which gave me the following output
1
total 53
-rwxr-xr-x 1 root root 52292 Jan 3 22:05 ls
uid=30(wwwrun) gid=65534(nogroup) groups=65534(nogroup)
and from the configuration values of phpinfo():
safe_mode 0 1
The following patch against functions/file.c fixes the problem,
I hope:
Index: functions/file.c
===================================================================
RCS file: /repository/php3/functions/file.c,v
retrieving revision 1.229
retrieving revision 1.230
diff -u -r1.229 -r1.230
--- functions/file.c 2000/01/01 04:31:15 1.229
+++ functions/file.c 2000/01/03 21:31:31 1.230
@@ -26,7 +26,7 @@
| Authors: Rasmus Lerdorf <rasmus@lerdorf.on.ca> |
+----------------------------------------------------------------------+
*/
-/* $Id: file.c,v 1.229 2000/01/01 04:31:15 sas Exp $ */
+/* $Id: file.c,v 1.230 2000/01/03 21:31:31 kk Exp $ */
#include "php.h"
#include <stdio.h>
@@ -51,6 +51,7 @@
#include "safe_mode.h"
#include "php3_list.h"
#include "php3_string.h"
+#include "exec.h"
#include "file.h"
#if HAVE_PWD_H
#if MSVC5
@@ -575,7 +576,7 @@
pval *arg1, *arg2;
FILE *fp;
int id;
- char *p;
+ char *p, *tmp = NULL;
char *b, buf[1024];
TLS_VARS;
@@ -600,7 +601,11 @@
} else {
snprintf(buf,sizeof(buf),"%s/%s",php3_ini.safe_mode_exec_dir,arg1->value.str.val);
}
- fp = popen(buf,p);
+
+ tmp = _php3_escapeshellcmd(buf);
+ fp = popen(tmp,p);
+ efree(tmp); /* temporary copy, no longer necessary */
+
if (!fp) {
php3_error(E_WARNING,"popen(\"%s\",\"%s\") - %s",buf,p,strerror(errno));
RETURN_FALSE;
As a web hoster, you should not rely on safe_mode for security,
but use the CGI version of PHP in a chroot()ed environment
instead.
Kristian
(4639520) ------------------------------------------
4640194 2000-01-05 06:40 /89 rader/ Postmaster
Mottagare: Bugtraq (import) <9168>
Ärende: Re: PHP3 safe_mode and popen()
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: BUGTRAQ@securityfocus.com
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary=Clx92ZfkiYIKRjnr
Content-Transfer-Encoding: 8bit
X-Operating-System: Linux 2.2.12 on an i686
Message-ID: <20000104235132.A10294@lab.nnx.fr>
Date: Tue, 4 Jan 2000 23:51:33 +0100
Reply-To: David TILLOY <d.tilloy@NNX.COM>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: David TILLOY <d.tilloy@NNX.COM>
X-To: php-dev@lists.php.net, BUGTRAQ@securityfocus.com
X-cc: Kristian Koehntopp <kris@koehntopp.de>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20000103224740.16223@white.koehntopp.de>
--Clx92ZfkiYIKRjnr
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Kristian Koehntopp [kris@KOEHNTOPP.DE] a écrit:
> PHP3 (http://www.php.net) is a scripting language used in many
> webhosting setups. Often in hosting setups so called "safe_mode"
> is enabled, which restricts the user in many ways. For example,
> in safe_mode you are supposed to be able to execute only
> programs from a safe_mode_exec_dir, if one is defined. Within
> that directory there should be only a restricted command set
> that is considered safe.
[.../...]
Right... Your patch seems to work only with php-3.0.12.
I attach modified version for php-3.0.13.
dav.
--
David TILLOY - Chef de projets - <d.tilloy@nnx.com>
Neuronnexion (nnx) - 19/21, rue des Augustins - F-80000 Amiens
Voice (+33 3).22.71.61.90 - Fax (+33 3).22.71.61.99
--Clx92ZfkiYIKRjnr
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="php_popen-3.0.13.patch"
--- /tmp/php-3.0.13/functions/file.c Sat Jan 1 05:31:15 2000
+++ functions/file.c Tue Jan 4 23:35:16 2000
@@ -26,7 +26,7 @@
| Authors: Rasmus Lerdorf <rasmus@lerdorf.on.ca> |
+----------------------------------------------------------------------+
*/
-/* $Id: file.c,v 1.229 2000/01/01 04:31:15 sas Exp $ */
+/* $Id: file.c,v 1.230 2000/01/03 21:31:31 kk Exp $ */
#include "php.h"
#include <stdio.h>
@@ -51,6 +51,7 @@
#include "safe_mode.h"
#include "php3_list.h"
#include "php3_string.h"
+#include "exec.h"
#include "file.h"
#if HAVE_PWD_H
#if MSVC5
@@ -575,7 +576,7 @@
pval *arg1, *arg2;
FILE *fp;
int id;
- char *p;
+ char *p, *tmp=NULL;
char *b, buf[1024];
TLS_VARS;
@@ -601,6 +602,11 @@
snprintf(buf,sizeof(buf),"%s/%s",php3_ini.safe_mode_exec_dir,arg1->value.str.val);
}
fp = popen(buf,p);
+
+ tmp = _php3_escapeshellcmd(buf);
+ fp = popen(tmp,p);
+ efree(tmp); /* temporary copy, no longer necessary */
+
if (!fp) {
php3_error(E_WARNING,"popen(\"%s\",\"%s\") - %s",buf,p,strerror(errno));
RETURN_FALSE;
--Clx92ZfkiYIKRjnr--
(4640194) ------------------------------------------
4643299 2000-01-06 00:06 /95 rader/ Postmaster
Mottagare: Bugtraq (import) <9198>
Ärende: Re: PHP3 safe_mode and popen()
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
User-Agent: Mutt/1.1i
X-Operating-System: Linux picard 2.2.13
X-Editor: VIM - Vi IMproved 5.6a BETA http://www.vim.org/
X-IRC: tirc-1.2; Nick: jeanluc
X-URL: http://home.pages.de/~jeanluc/
Message-ID: <20000105095018.A863@picard.franken.de>
Date: Wed, 5 Jan 2000 09:50:18 +0100
Reply-To: =?iso-8859-1?Q?Thomas_K=F6hler?= <jean-luc@PICARD.FRANKEN.DE>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: =?iso-8859-1?Q?Thomas_K=F6hler?= <jean-luc@PICARD.FRANKEN.DE>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20000104235132.A10294@lab.nnx.fr>; from d.tilloy@NNX.COM on Wed
Jan 05, 2000 at 04:27:48AM +0100
Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from
quoted-printable to 8bit by samantha.lysator.liu.se id AAA05946
On Wed, Jan 05, 2000 at 04:27:48AM +0100,
David TILLOY <d.tilloy@NNX.COM> wrote:
>
> Kristian Koehntopp [kris@KOEHNTOPP.DE] a écrit:
> > PHP3 (http://www.php.net) is a scripting language used in many
> > webhosting setups. Often in hosting setups so called "safe_mode"
> > is enabled, which restricts the user in many ways. For example,
> > in safe_mode you are supposed to be able to execute only
> > programs from a safe_mode_exec_dir, if one is defined. Within
> > that directory there should be only a restricted command set
> > that is considered safe.
>
> [.../...]
>
> Right... Your patch seems to work only with php-3.0.12.
> I attach modified version for php-3.0.13.
>
> dav.
> --- /tmp/php-3.0.13/functions/file.c Sat Jan 1 05:31:15 2000
> +++ functions/file.c Tue Jan 4 23:35:16 2000
> @@ -26,7 +26,7 @@
> | Authors: Rasmus Lerdorf <rasmus@lerdorf.on.ca> |
> +----------------------------------------------------------------------+
> */
> -/* $Id: file.c,v 1.229 2000/01/01 04:31:15 sas Exp $ */
> +/* $Id: file.c,v 1.230 2000/01/03 21:31:31 kk Exp $ */
> #include "php.h"
>
> #include <stdio.h>
> @@ -51,6 +51,7 @@
> #include "safe_mode.h"
> #include "php3_list.h"
> #include "php3_string.h"
> +#include "exec.h"
> #include "file.h"
> #if HAVE_PWD_H
> #if MSVC5
> @@ -575,7 +576,7 @@
> pval *arg1, *arg2;
> FILE *fp;
> int id;
> - char *p;
> + char *p, *tmp=NULL;
> char *b, buf[1024];
> TLS_VARS;
>
> @@ -601,6 +602,11 @@
> snprintf(buf,sizeof(buf),"%s/%s",php3_ini.safe_mode_exec_dir,arg1->value.str.val);
> }
> fp = popen(buf,p);
Not removing this line leaves the problem in PHP3. You'd better remove
it :-)
> +
> + tmp = _php3_escapeshellcmd(buf);
> + fp = popen(tmp,p);
> + efree(tmp); /* temporary copy, no longer necessary */
> +
> if (!fp) {
> php3_error(E_WARNING,"popen(\"%s\",\"%s\") - %s",buf,p,strerror(errno));
> RETURN_FALSE;
CU,
Thomas
--
Thomas Köhler Email: jean-luc@picard.franken.de | LCARS - Linux for
<>< WWW: http://home.pages.de/~jeanluc/ | Computers on All
IRC: jeanluc | Real Starships
PGP public key: http://www.mayn.de/users/jean-luc/PGP-Public.asc
(4643299) ------------------------------------------(Ombruten)
4646652 2000-01-06 22:14 /43 rader/ Postmaster
Mottagare: Bugtraq (import) <9212>
Ärende: Re: PHP3 safe_mode and popen()
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: bugtraq@securityfocus.com
>Received: from valiant.koehntopp.de(really [193.102.57.3]) b
white.koehntopp.de via sendmail with esmtp i
<m1268MS-0002g1C@white.koehntopp.de> fo
<bugtraq@securityfocus.com>; Thu, 6 Jan 2000 09:33:36 +0100 (MET
(Smail-3.2 1996-Jul-4 #1 built 1997-Jun-2)
X-Newsreader: NN version 6.5.1 (NOV)
Content-Type: text
Message-ID: <200001060831.JAA09468@valiant.koehntopp.de>
Date: Thu, 6 Jan 2000 09:31:44 +0100
Reply-To: Kristian Koehntopp <kris@KOEHNTOPP.DE>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Kristian Koehntopp <kris@KOEHNTOPP.DE>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
In netuse.lists.bugtraq you write:
> Right... Your patch seems to work only with php-3.0.12.
> I attach modified version for php-3.0.13.
Actually, my patch is against the current CVS of PHP and the
diff I posted was being generated directly from the CVS. Get
yourself a copy of current PHP directly from the CVS and all is
well.
>@@ -601,6 +602,11 @@
> snprintf(buf,sizeof(buf),"%s/%s",php3_ini.safe_mode_exec_dir,arg1->value.str.val);
> }
> fp = popen(buf,p);
>+
>+ tmp = _php3_escapeshellcmd(buf);
>+ fp = popen(tmp,p);
>+ efree(tmp); /* temporary copy, no longer necessary */
>+
Your patch does popen twice and the first popen() is unescaped.
This is broken and should not be used. Again, please use the CVS
to get a properly patched version of PHP or wait for the bugfix
release of PHP which will be out RSN.
Kristian
(4646652) ------------------------------------------
4807102 2000-02-17 08:00 /129 rader/ Postmaster
Mottagare: Bugtraq (import) <9810>
Ärende: Re: ASP Security Hole (PHP Too)
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: bugtraq@securityfocus.com
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <20000215224543.E7C7DB812@fear.qoop.org>
Date: Tue, 15 Feb 2000 16:45:43 -0600
Reply-To: quot;Joshua J. Drakequot; <jdrake@QOOP.ORG>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: quot;Joshua J. Drakequot; <jdrake@QOOP.ORG>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <81D7AF647CE8D211A53A00805F9FACFB50D68C@WATERTOWER> from quot;Justi
Kingquot; at Feb 10, 2000 03:47:36 PM
The following is also true for PHP. Naming PHP include files .inc
gives anyone full-read access to the files by simply requesting them
by name.
The solution of course is to do one of the following:
a. name php include files with a PHP extension (.php, .php3, etc) that is
associated with PHP parsing them
b. associate .inc files with PHP so that they are parsed and not displayed
> It has been preached by the ASP industry professionals for as long as I've
> been in it, that ALL included files MUST have a quot;.aspquot; extension and that
> ASP debugging should be disabled on all production servers in order to keep
> all code out of evil hands.
>
> The problem here is 100% between the chair and the keyboard.
>
> -----Original Message-----
> From: bgreenbaum@SECURITYFOCUS.COM [mailto:bgreenbaum@SECURITYFOCUS.COM]
> Sent: Wednesday, February 09, 2000 7:22 PM
> To: BUGTRAQ@SECURITYFOCUS.COM
> Subject: ASP Security Hole (fwd)
>
> Forwarded with permission of the author. Please direct all replies to
> jwalsh@jwsg.com.
>
> Ben Greenbaum
> Director of Site Content
> Security Focus
> http://www.securityfocus.com
>
> ---------- Forwarded message ----------
> Description:
> ============
> Active server pages (ASP) with runtime errors
> expose a security hole that publishes
> the full source code name to the caller.
> If these scripts are published on the
> internet before they are debugged by
> the programmer, the major search
> engines index them. These indexed
> ASP pages can be then located with a
> simple search. The search results publish
> the full path and file name for the ASP
> scripts. This URL can be viewed in a browser
> and may reveal full source code with
> details of business logic, database location
> and structure.
>
> Procedure:
> ==========
> - In the Altavisa search engine execute a search for
> +quot;Microsoft VBScript runtime errorquot; +quot;.inc, quot;
>
> - Look for search results that include the full
> path and filename for an include (.inc) file.
>
> - Append the include filename to the host name
> and call this up in a web browser.
> Example: www.rodney.com/stationery/browser.inc
>
> Examples:
> =========
> http://shopping.altavista.com/inc/lib/prep.lib
> Exposes database connections and properties, resource locations,
> cookie logic, server IP addresses, business logic
>
> http://www.justshop.com/SFLib/ship.inc
> Exposes database properties, business logic
>
> http://www.bbclub.com:8013/includes/general.inc
> Exposes cobranding business logic
>
> http://www.salest.com/corporate/admin/include/jobs.inc
> Exposes datafile locations and structure
>
> http://www.bjsbabes.com/SFLib/design.inc
> Exposes source code for StoreFront 2000 including
> database structure
>
> http://www.ffg.com/scripts/IsSearchEngine.inc
> Exposes search engine log
>
> http://www.wcastl.com/include/functions.inc
> Exposes members email addresses and
> private comments file http://www.wcastl.com/flat/comments.txt
>
> http://www.traveler.net/two/cookies.inc
> Exposes cookie logic
>
> Resolution:
> ===========
>
> - Search engines should not index pages that
> have ASP runtime errors.
>
> - Programmers should fully debug their ASP
> scripts before publishing them on the web
>
> - Security administrators need to secure
> the ASP include files so that external users
> can not view them.
>
>
>
>
> ===========================
> Jerry Walsh
> JW's Software Gems
> Email jwalsh@jwsg.com
> Phone (949) 855-0233
> Website http://www.jwsg.com
> ===========================
>
(4807102) ------------------------------------------(Ombruten)