4639520 2000-01-04 19:45 /111 rader/ Postmaster Mottagare: Bugtraq (import) <9138> Ärende: PHP3 safe_mode and popen() ------------------------------------------------------------ Approved-By: aleph1@SECURITYFOCUS.COM Delivered-To: bugtraq@lists.securityfocus.com Delivered-To: bugtraq@securityfocus.com >Received: by white.koehntopp.de via sendmail with stdio i <m125FKH-0002hiC@white.koehntopp.de> for bugtraq@securityfocus.com Mon, 3 Jan 2000 22:47:41 +0100 (MET) (Smail-3.2 1996-Jul-4 #1 buil 1997-Jun-2) Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Message-ID: <20000103224740.16223@white.koehntopp.de> Date: Mon, 3 Jan 2000 22:47:40 +0100 Reply-To: Kristian Koehntopp <kris@KOEHNTOPP.DE> Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM> From: Kristian Koehntopp <kris@KOEHNTOPP.DE> X-To: bugtraq@securityfocus.com To: BUGTRAQ@SECURITYFOCUS.COM PHP3 (http://www.php.net) is a scripting language used in many webhosting setups. Often in hosting setups so called "safe_mode" is enabled, which restricts the user in many ways. For example, in safe_mode you are supposed to be able to execute only programs from a safe_mode_exec_dir, if one is defined. Within that directory there should be only a restricted command set that is considered safe. When safe_mode is enabled, PHP3 is supposed to apply EscapeShellCmd() to each shell command to prevent the user from breaking out of this directory. As it turns out, the popen() function does not do this in safe_mode. I was able to set up a web server with safe_mode enabled and a safe_mode_exec_dir containing only "ls". I then wrote the following script: <?php $fp = popen("ls -l /opt/bin; /usr/bin/id", "r"); echo "$fp<br>\n"; while($line = fgets($fp, 1024)): printf("%s<br>\n", $line); endwhile; pclose($fp); phpinfo(); ?> which gave me the following output 1 total 53 -rwxr-xr-x 1 root root 52292 Jan 3 22:05 ls uid=30(wwwrun) gid=65534(nogroup) groups=65534(nogroup) and from the configuration values of phpinfo(): safe_mode 0 1 The following patch against functions/file.c fixes the problem, I hope: Index: functions/file.c =================================================================== RCS file: /repository/php3/functions/file.c,v retrieving revision 1.229 retrieving revision 1.230 diff -u -r1.229 -r1.230 --- functions/file.c 2000/01/01 04:31:15 1.229 +++ functions/file.c 2000/01/03 21:31:31 1.230 @@ -26,7 +26,7 @@ | Authors: Rasmus Lerdorf <rasmus@lerdorf.on.ca> | +----------------------------------------------------------------------+ */ -/* $Id: file.c,v 1.229 2000/01/01 04:31:15 sas Exp $ */ +/* $Id: file.c,v 1.230 2000/01/03 21:31:31 kk Exp $ */ #include "php.h" #include <stdio.h> @@ -51,6 +51,7 @@ #include "safe_mode.h" #include "php3_list.h" #include "php3_string.h" +#include "exec.h" #include "file.h" #if HAVE_PWD_H #if MSVC5 @@ -575,7 +576,7 @@ pval *arg1, *arg2; FILE *fp; int id; - char *p; + char *p, *tmp = NULL; char *b, buf[1024]; TLS_VARS; @@ -600,7 +601,11 @@ } else { snprintf(buf,sizeof(buf),"%s/%s",php3_ini.safe_mode_exec_dir,arg1->value.str.val); } - fp = popen(buf,p); + + tmp = _php3_escapeshellcmd(buf); + fp = popen(tmp,p); + efree(tmp); /* temporary copy, no longer necessary */ + if (!fp) { php3_error(E_WARNING,"popen(\"%s\",\"%s\") - %s",buf,p,strerror(errno)); RETURN_FALSE; As a web hoster, you should not rely on safe_mode for security, but use the CGI version of PHP in a chroot()ed environment instead. Kristian (4639520) ------------------------------------------ 4640194 2000-01-05 06:40 /89 rader/ Postmaster Mottagare: Bugtraq (import) <9168> Ärende: Re: PHP3 safe_mode and popen() ------------------------------------------------------------ Approved-By: aleph1@SECURITYFOCUS.COM Delivered-To: BUGTRAQ@securityfocus.com Mime-Version: 1.0 Content-Type: multipart/mixed; boundary=Clx92ZfkiYIKRjnr Content-Transfer-Encoding: 8bit X-Operating-System: Linux 2.2.12 on an i686 Message-ID: <20000104235132.A10294@lab.nnx.fr> Date: Tue, 4 Jan 2000 23:51:33 +0100 Reply-To: David TILLOY <d.tilloy@NNX.COM> Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM> From: David TILLOY <d.tilloy@NNX.COM> X-To: php-dev@lists.php.net, BUGTRAQ@securityfocus.com X-cc: Kristian Koehntopp <kris@koehntopp.de> To: BUGTRAQ@SECURITYFOCUS.COM In-Reply-To: <20000103224740.16223@white.koehntopp.de> --Clx92ZfkiYIKRjnr Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Kristian Koehntopp [kris@KOEHNTOPP.DE] a écrit: > PHP3 (http://www.php.net) is a scripting language used in many > webhosting setups. Often in hosting setups so called "safe_mode" > is enabled, which restricts the user in many ways. For example, > in safe_mode you are supposed to be able to execute only > programs from a safe_mode_exec_dir, if one is defined. Within > that directory there should be only a restricted command set > that is considered safe. [.../...] Right... Your patch seems to work only with php-3.0.12. I attach modified version for php-3.0.13. dav. -- David TILLOY - Chef de projets - <d.tilloy@nnx.com> Neuronnexion (nnx) - 19/21, rue des Augustins - F-80000 Amiens Voice (+33 3).22.71.61.90 - Fax (+33 3).22.71.61.99 --Clx92ZfkiYIKRjnr Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="php_popen-3.0.13.patch" --- /tmp/php-3.0.13/functions/file.c Sat Jan 1 05:31:15 2000 +++ functions/file.c Tue Jan 4 23:35:16 2000 @@ -26,7 +26,7 @@ | Authors: Rasmus Lerdorf <rasmus@lerdorf.on.ca> | +----------------------------------------------------------------------+ */ -/* $Id: file.c,v 1.229 2000/01/01 04:31:15 sas Exp $ */ +/* $Id: file.c,v 1.230 2000/01/03 21:31:31 kk Exp $ */ #include "php.h" #include <stdio.h> @@ -51,6 +51,7 @@ #include "safe_mode.h" #include "php3_list.h" #include "php3_string.h" +#include "exec.h" #include "file.h" #if HAVE_PWD_H #if MSVC5 @@ -575,7 +576,7 @@ pval *arg1, *arg2; FILE *fp; int id; - char *p; + char *p, *tmp=NULL; char *b, buf[1024]; TLS_VARS; @@ -601,6 +602,11 @@ snprintf(buf,sizeof(buf),"%s/%s",php3_ini.safe_mode_exec_dir,arg1->value.str.val); } fp = popen(buf,p); + + tmp = _php3_escapeshellcmd(buf); + fp = popen(tmp,p); + efree(tmp); /* temporary copy, no longer necessary */ + if (!fp) { php3_error(E_WARNING,"popen(\"%s\",\"%s\") - %s",buf,p,strerror(errno)); RETURN_FALSE; --Clx92ZfkiYIKRjnr-- (4640194) ------------------------------------------ 4643299 2000-01-06 00:06 /95 rader/ Postmaster Mottagare: Bugtraq (import) <9198> Ärende: Re: PHP3 safe_mode and popen() ------------------------------------------------------------ Approved-By: aleph1@SECURITYFOCUS.COM Delivered-To: bugtraq@lists.securityfocus.com Delivered-To: BUGTRAQ@SECURITYFOCUS.COM Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 User-Agent: Mutt/1.1i X-Operating-System: Linux picard 2.2.13 X-Editor: VIM - Vi IMproved 5.6a BETA http://www.vim.org/ X-IRC: tirc-1.2; Nick: jeanluc X-URL: http://home.pages.de/~jeanluc/ Message-ID: <20000105095018.A863@picard.franken.de> Date: Wed, 5 Jan 2000 09:50:18 +0100 Reply-To: =?iso-8859-1?Q?Thomas_K=F6hler?= <jean-luc@PICARD.FRANKEN.DE> Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM> From: =?iso-8859-1?Q?Thomas_K=F6hler?= <jean-luc@PICARD.FRANKEN.DE> X-To: BUGTRAQ@SECURITYFOCUS.COM To: BUGTRAQ@SECURITYFOCUS.COM In-Reply-To: <20000104235132.A10294@lab.nnx.fr>; from d.tilloy@NNX.COM on Wed Jan 05, 2000 at 04:27:48AM +0100 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by samantha.lysator.liu.se id AAA05946 On Wed, Jan 05, 2000 at 04:27:48AM +0100, David TILLOY <d.tilloy@NNX.COM> wrote: > > Kristian Koehntopp [kris@KOEHNTOPP.DE] a écrit: > > PHP3 (http://www.php.net) is a scripting language used in many > > webhosting setups. Often in hosting setups so called "safe_mode" > > is enabled, which restricts the user in many ways. For example, > > in safe_mode you are supposed to be able to execute only > > programs from a safe_mode_exec_dir, if one is defined. Within > > that directory there should be only a restricted command set > > that is considered safe. > > [.../...] > > Right... Your patch seems to work only with php-3.0.12. > I attach modified version for php-3.0.13. > > dav. > --- /tmp/php-3.0.13/functions/file.c Sat Jan 1 05:31:15 2000 > +++ functions/file.c Tue Jan 4 23:35:16 2000 > @@ -26,7 +26,7 @@ > | Authors: Rasmus Lerdorf <rasmus@lerdorf.on.ca> | > +----------------------------------------------------------------------+ > */ > -/* $Id: file.c,v 1.229 2000/01/01 04:31:15 sas Exp $ */ > +/* $Id: file.c,v 1.230 2000/01/03 21:31:31 kk Exp $ */ > #include "php.h" > > #include <stdio.h> > @@ -51,6 +51,7 @@ > #include "safe_mode.h" > #include "php3_list.h" > #include "php3_string.h" > +#include "exec.h" > #include "file.h" > #if HAVE_PWD_H > #if MSVC5 > @@ -575,7 +576,7 @@ > pval *arg1, *arg2; > FILE *fp; > int id; > - char *p; > + char *p, *tmp=NULL; > char *b, buf[1024]; > TLS_VARS; > > @@ -601,6 +602,11 @@ > snprintf(buf,sizeof(buf),"%s/%s",php3_ini.safe_mode_exec_dir,arg1->value.str.val); > } > fp = popen(buf,p); Not removing this line leaves the problem in PHP3. You'd better remove it :-) > + > + tmp = _php3_escapeshellcmd(buf); > + fp = popen(tmp,p); > + efree(tmp); /* temporary copy, no longer necessary */ > + > if (!fp) { > php3_error(E_WARNING,"popen(\"%s\",\"%s\") - %s",buf,p,strerror(errno)); > RETURN_FALSE; CU, Thomas -- Thomas Köhler Email: jean-luc@picard.franken.de | LCARS - Linux for <>< WWW: http://home.pages.de/~jeanluc/ | Computers on All IRC: jeanluc | Real Starships PGP public key: http://www.mayn.de/users/jean-luc/PGP-Public.asc (4643299) ------------------------------------------(Ombruten) 4646652 2000-01-06 22:14 /43 rader/ Postmaster Mottagare: Bugtraq (import) <9212> Ärende: Re: PHP3 safe_mode and popen() ------------------------------------------------------------ Approved-By: aleph1@SECURITYFOCUS.COM Delivered-To: bugtraq@lists.securityfocus.com Delivered-To: bugtraq@securityfocus.com >Received: from valiant.koehntopp.de(really [193.102.57.3]) b white.koehntopp.de via sendmail with esmtp i <m1268MS-0002g1C@white.koehntopp.de> fo <bugtraq@securityfocus.com>; Thu, 6 Jan 2000 09:33:36 +0100 (MET (Smail-3.2 1996-Jul-4 #1 built 1997-Jun-2) X-Newsreader: NN version 6.5.1 (NOV) Content-Type: text Message-ID: <200001060831.JAA09468@valiant.koehntopp.de> Date: Thu, 6 Jan 2000 09:31:44 +0100 Reply-To: Kristian Koehntopp <kris@KOEHNTOPP.DE> Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM> From: Kristian Koehntopp <kris@KOEHNTOPP.DE> X-To: bugtraq@securityfocus.com To: BUGTRAQ@SECURITYFOCUS.COM In netuse.lists.bugtraq you write: > Right... Your patch seems to work only with php-3.0.12. > I attach modified version for php-3.0.13. Actually, my patch is against the current CVS of PHP and the diff I posted was being generated directly from the CVS. Get yourself a copy of current PHP directly from the CVS and all is well. >@@ -601,6 +602,11 @@ > snprintf(buf,sizeof(buf),"%s/%s",php3_ini.safe_mode_exec_dir,arg1->value.str.val); > } > fp = popen(buf,p); >+ >+ tmp = _php3_escapeshellcmd(buf); >+ fp = popen(tmp,p); >+ efree(tmp); /* temporary copy, no longer necessary */ >+ Your patch does popen twice and the first popen() is unescaped. This is broken and should not be used. Again, please use the CVS to get a properly patched version of PHP or wait for the bugfix release of PHP which will be out RSN. Kristian (4646652) ------------------------------------------ 4807102 2000-02-17 08:00 /129 rader/ Postmaster Mottagare: Bugtraq (import) <9810> Ärende: Re: ASP Security Hole (PHP Too) ------------------------------------------------------------ Approved-By: aleph1@SECURITYFOCUS.COM Delivered-To: bugtraq@lists.securityfocus.com Delivered-To: bugtraq@securityfocus.com MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <20000215224543.E7C7DB812@fear.qoop.org> Date: Tue, 15 Feb 2000 16:45:43 -0600 Reply-To: quot;Joshua J. Drakequot; <jdrake@QOOP.ORG> Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM> From: quot;Joshua J. Drakequot; <jdrake@QOOP.ORG> X-To: bugtraq@securityfocus.com To: BUGTRAQ@SECURITYFOCUS.COM In-Reply-To: <81D7AF647CE8D211A53A00805F9FACFB50D68C@WATERTOWER> from quot;Justi Kingquot; at Feb 10, 2000 03:47:36 PM The following is also true for PHP. Naming PHP include files .inc gives anyone full-read access to the files by simply requesting them by name. The solution of course is to do one of the following: a. name php include files with a PHP extension (.php, .php3, etc) that is associated with PHP parsing them b. associate .inc files with PHP so that they are parsed and not displayed > It has been preached by the ASP industry professionals for as long as I've > been in it, that ALL included files MUST have a quot;.aspquot; extension and that > ASP debugging should be disabled on all production servers in order to keep > all code out of evil hands. > > The problem here is 100% between the chair and the keyboard. > > -----Original Message----- > From: bgreenbaum@SECURITYFOCUS.COM [mailto:bgreenbaum@SECURITYFOCUS.COM] > Sent: Wednesday, February 09, 2000 7:22 PM > To: BUGTRAQ@SECURITYFOCUS.COM > Subject: ASP Security Hole (fwd) > > Forwarded with permission of the author. Please direct all replies to > jwalsh@jwsg.com. > > Ben Greenbaum > Director of Site Content > Security Focus > http://www.securityfocus.com > > ---------- Forwarded message ---------- > Description: > ============ > Active server pages (ASP) with runtime errors > expose a security hole that publishes > the full source code name to the caller. > If these scripts are published on the > internet before they are debugged by > the programmer, the major search > engines index them. These indexed > ASP pages can be then located with a > simple search. The search results publish > the full path and file name for the ASP > scripts. This URL can be viewed in a browser > and may reveal full source code with > details of business logic, database location > and structure. > > Procedure: > ========== > - In the Altavisa search engine execute a search for > +quot;Microsoft VBScript runtime errorquot; +quot;.inc, quot; > > - Look for search results that include the full > path and filename for an include (.inc) file. > > - Append the include filename to the host name > and call this up in a web browser. > Example: www.rodney.com/stationery/browser.inc > > Examples: > ========= > http://shopping.altavista.com/inc/lib/prep.lib > Exposes database connections and properties, resource locations, > cookie logic, server IP addresses, business logic > > http://www.justshop.com/SFLib/ship.inc > Exposes database properties, business logic > > http://www.bbclub.com:8013/includes/general.inc > Exposes cobranding business logic > > http://www.salest.com/corporate/admin/include/jobs.inc > Exposes datafile locations and structure > > http://www.bjsbabes.com/SFLib/design.inc > Exposes source code for StoreFront 2000 including > database structure > > http://www.ffg.com/scripts/IsSearchEngine.inc > Exposes search engine log > > http://www.wcastl.com/include/functions.inc > Exposes members email addresses and > private comments file http://www.wcastl.com/flat/comments.txt > > http://www.traveler.net/two/cookies.inc > Exposes cookie logic > > Resolution: > =========== > > - Search engines should not index pages that > have ASP runtime errors. > > - Programmers should fully debug their ASP > scripts before publishing them on the web > > - Security administrators need to secure > the ASP include files so that external users > can not view them. > > > > > =========================== > Jerry Walsh > JW's Software Gems > Email jwalsh@jwsg.com > Phone (949) 855-0233 > Website http://www.jwsg.com > =========================== > (4807102) ------------------------------------------(Ombruten)