|
This is not really an advisory, but a warning for sysadmins running
webservers
with PHP. I noticed that it was possible to rebuild the user database (Unix)
even when safe_mode prevented from reading /etc/passwd and open_basedir
prevented from accessing /etc.
The implementation of getpw{uid,nam} functions (and their groups equivalent)
in PHP do not check values for safe_mode and open_basedir letting a user
rebuild a complete /etc/passwd file.
There was no implementation of getpwent() so the user has to loop on all
possible uid's but in some environnements, it can cause some problems.
For more informations, I have posted a bug report and a script showing
the problem:
http://bugs.php.net/bug.php?id=16733
I hope that can prevent some problems on your servers ;)
Anyways, a quick fix would be to disable posix_* functions that deal with
the user database.
Sysadmin @ Skreel.org && Kheos.net
|
