Red Hat Bugzilla – Bug 541239
CVE-2009-4018 php: proc_open() safe mode restriction bypass
Last modified: 2009-11-30 08:57:58 EST
A missing permission check was found in the way PHP used to pass environment variables to a new process (instance of PHP script) to be opened. An attacker could use this flaw to alter the process environment, leading to bypass of intended PHP safe_mode_protected_env_vars INI restrictions. Upstream bug report: ------------------- http://bugs.php.net/bug.php?id=49026 Upstream patch: --------------- http://svn.php.net/viewvc/?view=revision&revision=286360
Reproducer (from upstream bug report): -------------------------------------- In php.ini: safe_mode = On safe_mode_gid = On safe_mode_include_dir = safe_mode_exec_dir = /usr/bin/safe safe_mode_allowed_env_vars = PHP_ safe_mode_protected_env_vars = LD_LIBRARY_PATH Sample PHP script: <? putenv("BLAHBLAH=123"); putenv("LD_LIBRARY_PATH=/no/way"); putenv("PHP_TESTVAR=allowed"); $env = array('BLAHBLAH' => '123', 'LD_LIBRARY_PATH' => '/no/way', 'PHP_TESTVAR' => 'allowed'); $dptspec = array(0 => array("pipe", "r"), 1 => array("pipe", "w")); $fp = proc_open('env', $dptspec, $pipes, './', $env); echo "<pre>"; while(!feof($pipes[1])) echo fgets($pipes[1], 1024); fclose($pipes[1]); echo "</pre>"; ?> Expected result: ---------------- Warning: putenv() [function.putenv]: Safe Mode warning: Cannot set environment variable 'BLAHBLAH' - it's not in the allowed list in /my/path/test.php on line 2 Warning: putenv() [function.putenv]: Safe Mode warning: Cannot override protected environment variable 'LD_LIBRARY_PATH' in /my/path/test.php on line 3 PHP_TESTVAR=allowed PWD=/my/path Actual result: -------------- Warning: putenv() [function.putenv]: Safe Mode warning: Cannot set environment variable 'BLAHBLAH' - it's not in the allowed list in /my/path/test.php on line 2 Warning: putenv() [function.putenv]: Safe Mode warning: Cannot override protected environment variable 'LD_LIBRARY_PATH' in /my/path/test.php on line 3 LD_LIBRARY_PATH=/no/way PHP_TESTVAR=allowed BLAHBLAH=123 PWD=/my/path
This issue does NOT affect the versions of the php package, as shipped with Red Hat Enterprise Linux 3 and 4. This issue affects the version of the php package, as shipped with Red Hat Enterprise Linux 5.
(In reply to comment #2) > This issue does NOT affect the versions of the php package, as shipped > with Red Hat Enterprise Linux 3 and 4. proc_open only support cwd, env and other_options parameters as of version 5.0: http://www.php.net/manual/en/function.proc-open.php#function.proc-open.changelog
This should only be relevant in configurations where safe_mode is on, safe_mode_exec_dir is set to some non-default value (default is /usr/bin, which can be easily bypassed by executing e.g. perl or python), and the command execution functions are not in the disable_functions list.
Issue was fixed upstream in 5.2.11 and 5.3.1.
*** This bug has been marked as a duplicate of bug 169857 ***
Mitre's CVE-2009-4018 record: ----------------------------- The proc_open function in ext/standard/proc_open.c in PHP before 5.2.11 and 5.3.x before 5.3.1 does not enforce the (1) safe_mode_allowed_env_vars and (2) safe_mode_protected_env_vars directives, which allows context-dependent attackers to execute programs with an arbitrary environment via the env parameter, as demonstrated by a crafted value of the LD_LIBRARY_PATH environment variable.