Common Vulnerabilities and Exposures assigned an identifier CVE-2008-7002 to the following vulnerability: PHP 5.2.5 does not enforce (a) open_basedir and (b) safe_mode_exec_dir restrictions for certain functions, which might allow local users to bypass intended access restrictions and call programs outside of the intended directory via the (1) exec, (2) system, (3) shell_exec, (4) passthru, or (5) popen functions, possibly involving pathnames such as "C:" drive notation. References: ----------- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7002 http://www.securityfocus.com/bid/31064 Reproducer: ----------- http://downloads.securityfocus.com/vulnerabilities/exploits/31064.php Credit: ------- Ciph3r
More details about PHP security and safe mode: ---------------------------------------------- [1] http://cz2.php.net/manual/en/ini.sect.safe-mode.php More details from [1] regarding open_basedir: open_basedir string Limit the files that can be opened by PHP to the specified directory-tree, including the file itself. This directive is NOT affected by whether Safe Mode is turned On or Off. The default is to allow all files to be opened. [2] http://cz2.php.net/features.safe-mode From [2]: Safe Mode is deprecated in PHP 5.3.0 and is removed in PHP 6.0.0.
This is not a security issue, it's not even a claimed bypass of open_basedir and safe_mode_exec_dir restrictions. Quoting the "exploit": PHP.INI settings: safe_mode = Off disable_functions = open_basedir = htdocs <-- bypassed safe_mode_exec_dir = htdocs <-- bypassed Further quoting PHP documentation: http://www.php.net/manual/en/ini.sect.safe-mode.php safe_mode_exec_dir string If PHP is used in safe mode, system() and the other functions executing system programs refuse to start programs that are not in this directory. You have to use / as directory separator on all environments including Windows. Given the assumed safe_mode = off setting, it's obviously trivial to "bypass" safe_mode_exec_dir which is not enforced. open_basedir restriction does not attempt to restrict various exec functions. That's what safe_mode and disable_functions settings are meant to do.