Where you should disclose your vulnerabilities. Go read
RFPolicy if you want to do responsible disclosure, and go here for when all else fails.
PHP safe_mode bypass for windows
Date: October 13, 2008 07:43PM
I wrote a small post on my weblog regarding a safe_mode bypass for PHP. It works on all versions I have tested (including the latest), but only on windows. those few of you who know my blog also know that I barely write something and I'm not a good writer ;)
Anyway I reported this to the PHP team several times but got no response, so I'm trying to bring this to public attention because I feel it's a serious issue (although I see the limiting facts: windows, PHP eval)
there you go :)
http://websec.wordpress.com/2008/10/14/php-safe_mode-bypass/
Re: PHP safe_mode bypass for windows
Date: December 24, 2008 07:02PM
Isn't safe_mode suppose to protect PHP only when ran as a CGI and NOT when it is running as a command-line process (because it means that user has already ran a process so no protection from process execution is required)?
http://rafelivgi.blogspot.com
Aspect9 Founder & Chief Security Architect
------------------------------------------
My job is to assess not assassinate
You can spend your life reading what others write or you can spend your life writing for others to read, choose your destiny!
Re: PHP safe_mode bypass for windows
Date: January 11, 2009 05:56AM
TheInsider Wrote:
-------------------------------------------------------
> Isn't safe_mode suppose to protect PHP only when
> ran as a CGI and NOT when it is running as a
> command-line process (because it means that user
> has already ran a process so no protection from
> process execution is required)?
I guess it is not supposed to protect CGI only because safe_mode turned on will block calls like exec() at command line too (actually).
anyway, as stated in the blogpost the bug does work at CGI too, so exploiting a PHP eval() or uploading a PHP file with "<? exec('\calc') ?>" does work.
