Date: Wed, 16 Jul 2003 09:46:43 +0200
From: Michal Krause <michal@...use.cz>
To: bugtraq@...urityfocus.com
Subject: PHP safe mode broken?


Hi,

I think there is a bug in PHP safe mode handling from version 4.3.0 till
now.

Problem description:

There is a function php_check_safe_mode_include_dir() (fopen_wrappers.c)
which checks, if file is in safe_mode_include_dir. When no
safe_mode_include_dir is specified in the configuration, this function
returns 0 which means success. Older versions (4.2.3) returned -1
(failure) in such case.

There is other function in streams.c - _php_stream_fopen_with_path()
which makes two tests in some cases (on line 1856 in version 4.3.2): it
checks results of functions php_check_safe_mode_include_dir() and
php_checkuid().

And there is a problem: there is OR condition between theese two tests.
When there is no value in the safe_mode_include_dir directive,
php_check_safe_mode_include_dir() returns always 0 (true) and due to OR
condition result of php_checkuid() is irrelevant. This means that
include() and require() functions in PHP scripts always succeed
- regardless of file permissions.

I think, there was made one of the following mistakes:

a) php_check_safe_mode_include_dir() should return -1 (false) when there
is no value in the safe_mode_include_dir directive as older versions

or

b) someone wanted to switch behaviour of theese test to the state where
both tests must pass ("file must be in safe_mode_include_dir and must
have appropriate owner/group"). In this case
php_check_safe_mode_include_dir() really should return 0 (true) when
there is no value in the safe_mode_include_dir directive, but there must
be AND condition instead of OR in the _php_stream_fopen_with_path()
function.

This behaviour could make older working setups insecure after upgrading
to PHP 4.3.x.

I tried to report this bug to PHP developers twice in last weeks, but
I didn't receive any answer.

Best regards
Michal Krause

Powered by blists - more mailing lists