Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
PHP safe_mode bypass for windows
Posted by: Reiners
Date: October 13, 2008 07:43PM

I wrote a small post on my weblog regarding a safe_mode bypass for PHP. It works on all versions I have tested (including the latest), but only on windows. those few of you who know my blog also know that I barely write something and I'm not a good writer ;)
Anyway I reported this to the PHP team several times but got no response, so I'm trying to bring this to public attention because I feel it's a serious issue (although I see the limiting facts: windows, PHP eval)

there you go :)
http://websec.wordpress.com/2008/10/14/php-safe_mode-bypass/

Options: ReplyQuote
Re: PHP safe_mode bypass for windows
Posted by: Gareth Heyes
Date: October 20, 2008 09:41AM

There's a surprise!
I wonder why Stefan left...

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHP safe_mode bypass for windows
Posted by: TheInsider
Date: December 24, 2008 07:02PM

Isn't safe_mode suppose to protect PHP only when ran as a CGI and NOT when it is running as a command-line process (because it means that user has already ran a process so no protection from process execution is required)?

http://rafelivgi.blogspot.com
Aspect9 Founder & Chief Security Architect
------------------------------------------
My job is to assess not assassinate
You can spend your life reading what others write or you can spend your life writing for others to read, choose your destiny!

Options: ReplyQuote
Re: PHP safe_mode bypass for windows
Posted by: one23
Date: January 04, 2009 03:41PM

n1ce find !
now , every one can run command even with safe mode : ON !

Options: ReplyQuote
Re: PHP safe_mode bypass for windows
Posted by: Reiners
Date: January 11, 2009 05:56AM

TheInsider Wrote:
-------------------------------------------------------
> Isn't safe_mode suppose to protect PHP only when
> ran as a CGI and NOT when it is running as a
> command-line process (because it means that user
> has already ran a process so no protection from
> process execution is required)?

I guess it is not supposed to protect CGI only because safe_mode turned on will block calls like exec() at command line too (actually).

anyway, as stated in the blogpost the bug does work at CGI too, so exploiting a PHP eval() or uploading a PHP file with "<? exec('\calc') ?>" does work.

Options: ReplyQuote


Sorry, only registered users may post in this forum.