Vigil@nce: PHP, bypassing safe_mode
June 2008 by Vigil@nce
SYNTHESIS
An attacker can use a file name starting with "http://" in order
to bypass safe_mode restrictions.
Gravity: 1/4
Consequences: data reading, data creation/edition
Provenance: user account
Means of attack: 2 proofs of concept
Ability of attacker: specialist (3/4)
Confidence: unique source (2/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 19/06/2008
Identifier: VIGILANCE-VUL-7904
IMPACTED PRODUCTS
– PHP [confidential versions]
DESCRIPTION
The safe_mode configuration directive of PHP enables restrictions,
such as access rights to files. However, this directive can be
bypassed.
The posix_access() function indicates if the user can access to a
file. If the file path starts with "http//../", the check is done
on an uri, and is thus always True. Moreover, expand_filepath()
converts the uri to a file ("http://../name" becomes "../name"),
which becomes valid and accessible. [grav:1/4; BID-29797,
CVE-2008-2665]
The chdir() function changes the current directory. If the
directory path starts with "http//../", the check is done on an
uri, and is thus always True. Moreover, expand_filepath() converts
the uri to a file ("http://../name" becomes "../name"), which
becomes valid and accessible. [grav:1/4; BID-29796, CVE-2008-2666]
CHARACTERISTICS
Identifiers: BID-29796, BID-29797, CVE-2008-2665, CVE-2008-2666,
VIGILANCE-VUL-7904