PHP :: Bug #45997 :: safe

PHP :: Bug #45997 :: safe_mode bypass

Bug #45997

safe_mode bypass

Submitted:

2008-09-04 19:03 UTC

Modified:

2009-04-30 15:27 UTC

Votes:	11
Avg. Score:	4.4 ± 1.4
Reproduced:	5 of 7 (71.4%)
Same Version:	5 (100.0%)
Same OS:	5 (100.0%)

From:

johannesdahse at gmx dot de

Assigned:

pajoye (profile)

Status:

Closed

Package:

Safe Mode/open_basedir

PHP Version:

5.2.6

OS:

win32 only

Private report:

CVE-ID:

None

[2008-09-04 19:03 UTC] johannesdahse at gmx dot de

Description:
------------
safe_mode bypass with a preceding backslash. tested with exec(), system() and passthru(). on windows only.

Sorry, I do feel this bug concerns a security issue but I got no response from security@php.net after sending 2 emails from 2 different accounts about 6 weeks ago.

Reproduce code:
---------------
on commandline:
php -n -d safe_mode=on -r "exec('\ping 192.168.222.1');"

with PHP script and enabled safe_mode in php.ini:
<? exec('\ping 192.168.222.1'); ?>

Expected result:
----------------
safe_mode turned on should block code execution from exec() and other functions.

Actual result:
--------------
By adding a backslash infront of the command the command got  executed anyhow.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2009-04-30 15:27 UTC] pajoye@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.