PHP safe_mode bypass for windows

Re: PHP safe_mode bypass for windows

Reiners — Sun, 11 Jan 2009 05:56:27 -0600

TheInsider Wrote:
-------------------------------------------------------
> Isn't safe_mode suppose to protect PHP only when
> ran as a CGI and NOT when it is running as a
> command-line process (because it means that user
> has already ran a process so no protection from
> process execution is required)?

I guess it is not supposed to protect CGI only because safe_mode turned on will block calls like exec() at command line too (actually).

anyway, as stated in the blogpost the bug does work at CGI too, so exploiting a PHP eval() or uploading a PHP file with "" does work.

Re: PHP safe_mode bypass for windows

one23 — Sun, 04 Jan 2009 15:41:33 -0600

n1ce find !
now , every one can run command even with safe mode : ON !

Re: PHP safe_mode bypass for windows

TheInsider — Wed, 24 Dec 2008 19:02:23 -0600

Isn't safe_mode suppose to protect PHP only when ran as a CGI and NOT when it is running as a command-line process (because it means that user has already ran a process so no protection from process execution is required)?

Re: PHP safe_mode bypass for windows

Gareth Heyes — Mon, 20 Oct 2008 09:41:44 -0500

There's a surprise!
I wonder why Stefan left...

PHP safe_mode bypass for windows

Reiners — Mon, 13 Oct 2008 19:43:37 -0500

I wrote a small post on my weblog regarding a safe_mode bypass for PHP. It works on all versions I have tested (including the latest), but only on windows. those few of you who know my blog also know that I barely write something and I'm not a good writer ;)
Anyway I reported this to the PHP team several times but got no response, so I'm trying to bring this to public attention because I feel it's a serious issue (although I see the limiting facts: windows, PHP eval)

there you go :)
http://websec.wordpress.com/2008/10/14/php-safe_mode-bypass/