Bug 169857 - (php-safemode-wontfix, safemode, safe_mode) php open_basedir / safe mode bypass
php open_basedir / safe mode bypass
Status: CLOSED WONTFIX
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Joe Orton
David Lawrence
http://bugs.debian.org/cgi-bin/bugrep...
: Security
: CVE-2005-3391 CVE-2006-3011 CVE-2006-4625 CVE-2007-0905 CVE-2007-4652 CVE-2007-4663 CVE-2007-3997 CVE-2007-3378 CVE-2007-4825 CVE-2007-4889 CVE-2007-4850 CVE-2008-2665 CVE-2008-2666 CVE-2008-3659 CVE-2008-5624 CVE-2008-5625 CVE-2009-3557/CVE-2009-3558/CVE-2009-3559 CVE-2009-4018 CVE-2009-4143 CVE-2010-1129/CVE-2010-1130 CVE-2010-2097/MOPS-2010-032/MOPS-2010-033/MOPS-2010-034 CVE-2010-2190/MOPS-2010-047/MOPS-2010-048 CVE-2010-2191/MOPS-2010-049/MOPS-2010-050/MOPS-2010-051/MOPS-2010-052/MOPS-2010-053/MOPS-2010-054/MOPS-2010-055 CVE-2010-1914/MOPS-2010-014/MOPS-2010-015/MOPS-2010-016 CVE-2010-1915/MOPS-2010-017 CVE-2010-1864/MOPS-2010-006 CVE-2010-1860/MOPS-2010-010 CVE-2010-1862/MOPS-2010-008 CVE-2010-1861/MOPS-2010-009 CVE-2010-2100/MOPS-2010-036/MOPS-2010-037/MOPS-2010-038/MOPS-2010-039/MOPS-2010-040 CVE-2010-2484 CVE-2010-3436 CVE-2010-4150 CVE-2010-4697 CVE-2011-1092 CVE-2011-1657 CVE-2012-1171 CVE-2012-3365 CVE-2013-1635 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-10-04 10:32 EDT by Josh Bressers
Modified: 2015-05-18 16:54 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-10-12 08:21:46 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
CVE-2012-3365-test.patch (2.20 KB, patch)
2012-07-22 07:34 EDT, Svyatoslav Lempert
no flags Details | Diff

  None (edit)
Description Josh Bressers 2005-10-04 10:32:53 EDT
This issue was reported by debian:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=323585

It seems it is possible to bypass the open_basedir directive, allowing users
access to various files they should not have access to.
Comment 1 Joe Orton 2005-10-12 08:21:46 EDT
The PHP "safe mode" and "open_basedir" configuration options are intended to
prevent an interpreted script from executing arbitrary system commands or
opening arbitrary  files on the system.

But the PHP interpreter does not offer a "sandboxed" security layer (as found
in, say, a JVM) with which to reliably implement these features, so they cannot
be relied upon as a security feature.

Any bug in PHP (or any extension) which allows a script to corrupt memory or
cause the interpreter to crash may allow the script to bypass safe mode or
open_basedir.  Similarly, any feature of a bundled (or third-party) extension
which allows the script to open arbitrary files, or execute arbitrary commands,
may allow the script to bypass safe mode or open_basedir.

For these reasons, bugs in the "safe mode" and "open_basedir" options, or any
bugs in the PHP interpreter or extensions which allow scripts to bypass these
options, will not be treated as security-sensitive.

See also http://www.php.net/security-note.php for the similar position taken by
the PHP project.
Comment 2 Joe Orton 2005-11-07 09:03:18 EST
*** Bug 172204 has been marked as a duplicate of this bug. ***
Comment 3 Joe Orton 2005-11-07 09:05:23 EST
This bug will be used as a meta-bug for tracking PHP "safe"-mode/open_basedir
issues, which will in general not be fixed in updates for Red Hat Enterprise
Linux of the PHP package.
Comment 4 Joe Orton 2006-09-15 08:44:35 EDT
*** Bug 205003 has been marked as a duplicate of this bug. ***
Comment 5 Joe Orton 2006-09-15 08:47:32 EDT
*** Bug 206276 has been marked as a duplicate of this bug. ***
Comment 6 Joe Orton 2007-05-15 11:24:19 EDT
*** Bug 240155 has been marked as a duplicate of this bug. ***
Comment 7 Joe Orton 2007-09-05 05:17:17 EDT
*** Bug 278001 has been marked as a duplicate of this bug. ***
Comment 8 Joe Orton 2007-09-05 05:17:34 EDT
*** Bug 277971 has been marked as a duplicate of this bug. ***
Comment 9 Joe Orton 2007-09-05 05:17:42 EDT
*** Bug 277991 has been marked as a duplicate of this bug. ***
Comment 10 Joe Orton 2007-09-05 05:18:46 EDT
*** Bug 278071 has been marked as a duplicate of this bug. ***
Comment 11 Tomas Hoger 2007-09-12 12:45:59 EDT
*** Bug 287971 has been marked as a duplicate of this bug. ***
Comment 12 Mark J. Cox (Product Security) 2007-09-14 06:35:07 EDT
*** Bug 290591 has been marked as a duplicate of this bug. ***
Comment 13 Tomas Hoger 2008-06-25 03:40:14 EDT
Safe mode feature was removed upstream for the upcoming PHP 6 release:

  http://www.php.net/manual/en/features.safe-mode.php

  Warning: Safe Mode was removed in PHP 6.0.0.
Comment 14 Tomas Hoger 2008-06-25 08:56:29 EDT
*** Bug 452206 has been marked as a duplicate of this bug. ***
Comment 15 Tomas Hoger 2008-06-25 08:56:38 EDT
*** Bug 452207 has been marked as a duplicate of this bug. ***
Comment 16 Tomas Hoger 2008-07-25 04:21:43 EDT
*** Bug 436541 has been marked as a duplicate of this bug. ***
Comment 17 Josh Bressers 2009-02-26 16:29:17 EST
*** Bug 476985 has been marked as a duplicate of this bug. ***
Comment 18 Josh Bressers 2009-03-10 15:24:50 EDT
*** Bug 476986 has been marked as a duplicate of this bug. ***
Comment 19 Tomas Hoger 2009-03-25 05:00:23 EDT
*** Bug 459569 has been marked as a duplicate of this bug. ***
Comment 20 Tomas Hoger 2009-11-20 08:53:59 EST
*** Bug 539529 has been marked as a duplicate of this bug. ***
Comment 21 Jan Lieskovsky 2009-11-23 12:59:21 EST
Mitre's CVE-2009-3557 entry:
---------------------------

The tempnam function in ext/standard/file.c in PHP 5.2.11 and earlier,
and 5.3.x before 5.3.1, allows context-dependent attackers to bypass
safe_mode restrictions, and create files in group-writable or
world-writable directories, via the dir and prefix arguments.

References:
-----------
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3557
http://www.openwall.com/lists/oss-security/2009/11/20/2
http://www.openwall.com/lists/oss-security/2009/11/20/3
http://www.openwall.com/lists/oss-security/2009/11/20/5
http://news.php.net/php.announce/79
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_2/ext/standard/file.c?view=log
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/standard/file.c?view=log
http://svn.php.net/viewvc?view=revision&revision=288945
http://www.php.net/ChangeLog-5.php
http://www.php.net/releases/5_3_1.php
http://secunia.com/advisories/37412
http://securityreason.com/securityalert/6601

Mitre's CVE-2009-3558 entry:
----------------------------

The posix_mkfifo function in ext/posix/posix.c in PHP 5.2.11 and
earlier, and 5.3.x before 5.3.1, allows context-dependent attackers to
bypass open_basedir restrictions, and create FIFO files, via the
pathname and mode arguments, as demonstrated by creating a .htaccess
file.

References:
-----------
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3558
http://www.openwall.com/lists/oss-security/2009/11/20/2
http://www.openwall.com/lists/oss-security/2009/11/20/3
http://www.openwall.com/lists/oss-security/2009/11/20/5
http://news.php.net/php.announce/79
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_2/ext/posix/posix.c?view=log
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/posix/posix.c?view=log
http://svn.php.net/viewvc?view=revision&revision=288943
http://www.php.net/ChangeLog-5.php
http://www.php.net/releases/5_3_1.php
http://secunia.com/advisories/37412
http://securityreason.com/securityalert/6600
Comment 22 Tomas Hoger 2009-11-25 10:25:47 EST
*** Bug 541239 has been marked as a duplicate of this bug. ***
Comment 23 Tomas Hoger 2009-12-23 10:15:00 EST
*** Bug 548532 has been marked as a duplicate of this bug. ***
Comment 24 Vincent Danen 2010-03-27 23:31:30 EDT
*** Bug 577578 has been marked as a duplicate of this bug. ***
Comment 25 Tomas Hoger 2010-07-23 09:32:18 EDT
*** Bug 617578 has been marked as a duplicate of this bug. ***
Comment 26 Tomas Hoger 2010-07-26 05:13:23 EDT
*** Bug 601897 has been marked as a duplicate of this bug. ***
Comment 27 Tomas Hoger 2010-07-26 05:36:56 EDT
*** Bug 598562 has been marked as a duplicate of this bug. ***
Comment 28 Tomas Hoger 2010-07-26 09:48:38 EDT
*** Bug 617211 has been marked as a duplicate of this bug. ***
Comment 29 Tomas Hoger 2010-07-26 14:41:50 EDT
*** Bug 618359 has been marked as a duplicate of this bug. ***
Comment 30 Tomas Hoger 2010-07-26 15:04:31 EDT
*** Bug 618366 has been marked as a duplicate of this bug. ***
Comment 31 Tomas Hoger 2010-07-27 06:11:01 EDT
*** Bug 618579 has been marked as a duplicate of this bug. ***
Comment 32 Tomas Hoger 2010-07-27 07:06:43 EDT
*** Bug 617180 has been marked as a duplicate of this bug. ***
Comment 33 Tomas Hoger 2010-07-27 14:08:37 EDT
*** Bug 618785 has been marked as a duplicate of this bug. ***
Comment 34 Tomas Hoger 2010-07-28 05:54:42 EDT
*** Bug 601901 has been marked as a duplicate of this bug. ***
Comment 35 Tomas Hoger 2010-07-29 05:32:45 EDT
*** Bug 619324 has been marked as a duplicate of this bug. ***
Comment 36 Vincent Danen 2010-11-08 19:18:14 EST
*** Bug 651204 has been marked as a duplicate of this bug. ***
Comment 37 Huzaifa S. Sidhpurwala 2010-12-06 00:07:16 EST
*** Bug 656917 has been marked as a duplicate of this bug. ***
Comment 38 Huzaifa S. Sidhpurwala 2010-12-28 03:54:23 EST
*** Bug 662707 has been marked as a duplicate of this bug. ***
Comment 39 Tomas Hoger 2011-01-19 12:40:01 EST
*** Bug 670792 has been marked as a duplicate of this bug. ***
Comment 40 Vincent Danen 2011-03-16 17:53:01 EDT
*** Bug 683183 has been marked as a duplicate of this bug. ***
Comment 41 Tomas Hoger 2011-07-01 11:22:00 EDT
*** Bug 718253 has been marked as a duplicate of this bug. ***
Comment 42 Huzaifa S. Sidhpurwala 2012-04-17 01:55:19 EDT
*** Bug 802591 has been marked as a duplicate of this bug. ***
Comment 43 Huzaifa S. Sidhpurwala 2012-04-18 00:11:53 EDT
*** Bug 802591 has been marked as a duplicate of this bug. ***
Comment 44 Stefan Cornelius 2012-05-15 09:34:42 EDT
*** Bug 783609 has been marked as a duplicate of this bug. ***
Comment 45 Vincent Danen 2012-07-20 13:42:24 EDT
*** Bug 841972 has been marked as a duplicate of this bug. ***
Comment 46 Svyatoslav Lempert 2012-07-22 07:34:25 EDT
Created attachment 599581 [details]
CVE-2012-3365-test.patch

Use this patch for fix this issue, I have used this patch file on my PHP 5.2.17 and got this from http://git.php.net/?p=php-src.git;a=commit;h=055ecbc62878e86287d742c7246c21606cee8183
Comment 47 Vincent Danen 2013-03-07 12:25:38 EST
*** Bug 918196 has been marked as a duplicate of this bug. ***
Comment 48 Tomas Hoger 2015-05-18 16:54:06 EDT
(In reply to Tomas Hoger from comment #13)
> Safe mode feature was removed upstream for the upcoming PHP 6 release:
> 
>   http://www.php.net/manual/en/features.safe-mode.php
> 
>   Warning: Safe Mode was removed in PHP 6.0.0.

Upstream versioning plans apparently changed since the comment 13 was made.  Safe mode was deprecated in 5.3.0 and removed in 5.4.0.

Note You need to log in before you can comment on or make changes to this bug.