PHP 5.2.0 session.save_path safe_mode and open_basedir bypass
<p>
</p>
<table cellspacing="0" cellpadding="3" width="100%" border="0">
<tbody>
<tr>
<font size="2">这个漏洞让我想起来以前发现的一个php的小问题。想想用在这里倒是很适用:<br /><br /></font>
<div style="BORDER-RIGHT: #cccccc 1px solid; PADDING-RIGHT: 5px; BORDER-TOP: #cccccc 1px solid; PADDING-LEFT: 4px; FONT-SIZE: 13px; PADDING-BOTTOM: 4px; BORDER-LEFT: #cccccc 1px solid; WIDTH: 98%; WORD-BREAK: break-all; PADDING-TOP: 4px; BORDER-BOTTOM: #cccccc 1px solid; BACKGROUND-COLOR: #eeeeee">
<font size="2">
<span style="COLOR: #000000">唯一让我感兴趣的是</span>
<span style="COLOR: #000000">,</span>
<span style="COLOR: #000000">在测试session相关函数的时候</span>
<span style="COLOR: #000000">.</span>
<span style="COLOR: #000000">发现通过修改cookie里的session_id可以在session目录下写新文件并控制文件名为</span>
<span style="COLOR: #000000">"</span>
<span style="COLOR: #000000">sess_</span>
<span style="COLOR: #000000">"</span>
<span style="COLOR: #000000">+</span>
<span style="COLOR: #800080">$session_id</span>
<span style="COLOR: #000000"> 这样的形式</span>
<span style="COLOR: #000000">.</span>
<span style="COLOR: #000000">如果能再控制一个写到session_data的变量</span>
<span style="COLOR: #000000">,</span>
<span style="COLOR: #000000">或许能有所作用</span>
<span style="COLOR: #000000">.</span>
<span style="COLOR: #000000">(</span>
<span style="COLOR: #800080">$session_id</span>
<span style="COLOR: #000000"> 有字符限制</span>
<span style="COLOR: #000000">,</span>
<span style="COLOR: #000000">只允许大小写字母</span>
<span style="COLOR: #000000">,</span>
<span style="COLOR: #000000">还有</span>
<span style="COLOR: #000000">"</span>
<span style="COLOR: #000000">-</span>
<span style="COLOR: #000000">"</span>
<span style="COLOR: #000000">和</span>
<span style="COLOR: #000000">"</span>
<span style="COLOR: #000000">,</span>
<span style="COLOR: #000000">"</span>
<span style="COLOR: #000000">字符</span>
<span style="COLOR: #000000">.</span>
</font>
<font size="2">
<span style="COLOR: #000000">并且不能超过php所在系统的文件名长度限制)<br /><br />同样的</span>
<span style="COLOR: #000000">,</span>
<span style="COLOR: #000000">如果我已经得到了一个webshell</span>
<span style="COLOR: #000000">,</span>
<span style="COLOR: #000000">利用session_save_path以及session_set_save_handler</span>
<span style="COLOR: #000000">,</span>
<span style="COLOR: #000000">我们可以在允许的任意目录里以进程的权限写任意文件</span>
<span style="COLOR: #000000">,</span>
<span style="COLOR: #000000">并没有文件名和内容上的任何限制</span>
<span style="COLOR: #000000">.</span>
<span style="COLOR: #000000">也许这个能在disable了file相关function时能有用</span>
<span style="COLOR: #000000">.</span>
<span style="COLOR: #000000">PHP</span>
<span style="COLOR: #000000">-</span>
<span style="COLOR: #000000">5.0</span>
<span style="COLOR: #000000">.</span>
<span style="COLOR: #000000">4版本前的session_save_path甚至能绕过open_basedir在任意有权限的地方写文件</span>
</font>
</div>
<br />
<br />
<font size="2">
<img height="5" src="/images/arrow.png" width="4" border="0" /> Topic : <b>PHP 5.2.0 session.save_path safe_mode and open_basedir bypass</b><br /></font>
</tr>
<tr>
<td valign="top">
<font size="2">
</font>
</td>
<td>
<font size="2">
</font>
</td>
<font size="2">
<img height="5" src="/images/arrow.png" width="4" border="0" /> Security<font color="red">A</font>lert Id : <b>43</b><br /></font>
</tr>
<tr>
<td valign="top">
<font size="2">
</font>
</td>
<td>
<font size="2">
</font>
</td>
<font size="2">
<img height="5" src="/images/arrow.png" width="4" border="0" /> SecurityRisk : <b>High</b><br /></font>
</tr>
<tr>
<td valign="top">
<font size="2">
</font>
</td>
<td>
<font size="2">
</font>
</td>
<font size="2">
<img height="5" src="/images/arrow.png" width="4" border="0" /> Remote Exploit : <b>No</b><br /></font>
</tr>
<tr>
<td valign="top">
<font size="2">
</font>
</td>
<td>
<font size="2">
</font>
</td>
<font size="2">
<img height="5" src="/images/arrow.png" width="4" border="0" /> Local Exploit : <b>Yes</b><br /></font>
</tr>
<tr>
<td valign="top">
<font size="2">
</font>
</td>
<td>
<font size="2">
</font>
</td>
<font size="2">
<img height="5" src="/images/arrow.png" width="4" border="0" /> Exploit Given : <b>No</b><br /></font>
</tr>
<tr>
<td valign="top">
<font size="2">
</font>
</td>
<td>
<font size="2">
</font>
</td>
<font size="2">
<img height="5" src="/images/arrow.png" width="4" border="0" /> Credit : <b><font color="green">Maksymilian Arciemowicz</font></b><br /></font>
</tr>
<tr>
<td valign="top">
<font size="2">
</font>
</td>
<td>
<font size="2">
</font>
</td>
<font size="2">
<img height="5" src="/images/arrow.png" width="4" border="0" /> Date : <b>8.12.2006</b></font>
<div align="justify">
<br />
<font size="2">
<img height="5" src="/images/arrow.png" width="4" border="0" /> Affected Software : <b>PHP 5.2.0</b></font>
</div>
<p>
<font size="2">
</font>
</p>
<div align="justify">
<br />
<font size="2">
<img height="5" src="/images/arrow.png" width="4" border="0" /> Advisory Text :<br /> -----BEGIN PGP SIGNED MESSAGE-----<br />Hash: SHA1<br /><br />[PHP 5.2.0 session.save_path safe_mode and open_basedir bypass]<br /><br /><br />Author: Maksymilian Arciemowicz (SecurityReason)<br />Date:<br />- - Written: 02.10.2006<br />- - Public: 08.12.2006<br />SecurityAlert Id: 43<br />CVE: CVE-2006-6383<br />SecurityRisk: High<br />Affected Software: PHP 5.2.0<br />Advisory URL: http://securityreason.com/achievement_securityalert/43<br />Vendor: http://www.php.net<br /><br />- --- 0.Description ---<br />PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and<br />Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to<br />allow web developers to write dynamically generated pages quickly.<br /><br />A nice introduction to PHP by Stig Sather Bakken can be found at<br />http://www.zend.com/zend/art/intro.php on the Zend website. Also, much of the PHP Conference<br />Material is freely available. <br /><br />Session support in PHP consists of a way to preserve certain data across subsequent accesses.<br />This enables you to build more customized applications and increase the appeal of your web<br />site.<br /><br />A visitor accessing your web site is assigned a unique id, the so-called session id. This is<br />either stored in a cookie on the user side or is propagated in the URL.<br /><br />session.save_path defines the argument which is passed to the save handler. If you choose the<br />default files handler, this is the path where the files are created. Defaults to /tmp. See<br />also session_save_path().<br /><br />There is an optional N argument to this directive that determines the number of directory<br />levels your session files will be spread around in. For example, setting to '5;/tmp' may end<br />up creating a session file and location like<br />/tmp/4/b/1/e/3/sess_4b1e384ad74619bd212e236e52a5a174If . In order to use N you must create<br />all of these directories before use. A small shell script exists in ext/session to do this,<br />it's called mod_files.sh. Also note that if N is used and greater than 0 then automatic<br />garbage collection will not be performed, see a copy of php.ini for further information.<br />Also, if you use N, be sure to surround session.save_path in "quotes" because the<br />separator (;) is also used for comments in php.ini. <br /><br />- --- 1. session.save_path safe mode and open basedir bypass ---<br />session.save_path can be set in ini_set(), session_save_path() function. In session.save_path<br />there must be path where you will save yours tmp file. But syntax for session.save_path can<br />be:<br /><br />[/PATH]<br /><br />OR<br /><br />[N;/PATH]<br /><br />N - can be a string.<br /><br />EXAMPLES:<br /><br /></font>
<div style="BORDER-RIGHT: #cccccc 1px solid; PADDING-RIGHT: 5px; BORDER-TOP: #cccccc 1px solid; PADDING-LEFT: 4px; FONT-SIZE: 13px; PADDING-BOTTOM: 4px; BORDER-LEFT: #cccccc 1px solid; WIDTH: 98%; WORD-BREAK: break-all; PADDING-TOP: 4px; BORDER-BOTTOM: #cccccc 1px solid; BACKGROUND-COLOR: #eeeeee">
<font size="2">
<span style="COLOR: #000000">1</span>
<span style="COLOR: #000000">.</span>
<span style="COLOR: #000000"> </span>
<span style="COLOR: #008080">session_save_path</span>
<span style="COLOR: #000000">(</span>
<span style="COLOR: #000000">"</span>
<span style="COLOR: #000000">/DIR/WHERE/YOU/HAVE/ACCESS</span>
<span style="COLOR: #000000">"</span>
<span style="COLOR: #000000">)</span>
</font>
</div>
<br />
<div style="BORDER-RIGHT: #cccccc 1px solid; PADDING-RIGHT: 5px; BORDER-TOP: #cccccc 1px solid; PADDING-LEFT: 4px; FONT-SIZE: 13px; PADDING-BOTTOM: 4px; BORDER-LEFT: #cccccc 1px solid; WIDTH: 98%; WORD-BREAK: break-all; PADDING-TOP: 4px; BORDER-BOTTOM: #cccccc 1px solid; BACKGROUND-COLOR: #eeeeee">
<font size="2">
<span style="COLOR: #000000">2</span>
<span style="COLOR: #000000">.</span>
<span style="COLOR: #000000"> </span>
<span style="COLOR: #008080">session_save_path</span>
<span style="COLOR: #000000">(</span>
<span style="COLOR: #000000">"</span>
<span style="COLOR: #000000">5;/DIR/WHERE/YOU/HAVE/ACCESS</span>
<span style="COLOR: #000000">"</span>
<span style="COLOR: #000000">)</span>
</font>
</div>
<br />
<font size="2">and <br /><br /></font>
<div style="BORDER-RIGHT: #cccccc 1px solid; PADDING-RIGHT: 5px; BORDER-TOP: #cccccc 1px solid; PADDING-LEFT: 4px; FONT-SIZE: 13px; PADDING-BOTTOM: 4px; BORDER-LEFT: #cccccc 1px solid; WIDTH: 98%; WORD-BREAK: break-all; PADDING-TOP: 4px; BORDER-BOTTOM: #cccccc 1px solid; BACKGROUND-COLOR: #eeeeee">
<font size="2">
<span style="COLOR: #000000">3</span>
<span style="COLOR: #000000">.</span>
<span style="COLOR: #008080">session_save_path</span>
<span style="COLOR: #000000">(</span>
<span style="COLOR: #000000">"</span>
<span style="COLOR: #000000">/DIR/WHERE/YOU/DONT/HAVE/ACCESS\0;/DIR/WHERE/YOU/HAVE/ACCESS</span>
<span style="COLOR: #000000">"</span>
<span style="COLOR: #000000">)</span>
</font>
</div>
<br />
<font size="2">- -1477-1493--- Code from PHP520 ext/session/session.c [START]<br /></font>
<div style="BORDER-RIGHT: #cccccc 1px solid; PADDING-RIGHT: 5px; BORDER-TOP: #cccccc 1px solid; PADDING-LEFT: 4px; FONT-SIZE: 13px; PADDING-BOTTOM: 4px; BORDER-LEFT: #cccccc 1px solid; WIDTH: 98%; WORD-BREAK: break-all; PADDING-TOP: 4px; BORDER-BOTTOM: #cccccc 1px solid; BACKGROUND-COLOR: #eeeeee">
<font size="2">
<span style="COLOR: #000000">PHP_FUNCTION(</span>
<span style="COLOR: #008080">session_save_path</span>
</font>
<font size="2">
<span style="COLOR: #000000">)<br />{<br />zval </span>
<span style="COLOR: #000000">**</span>
</font>
<font size="2">
<span style="COLOR: #000000">p_name;<br />int ac </span>
<span style="COLOR: #000000">=</span>
</font>
<font size="2">
<span style="COLOR: #000000"> ZEND_NUM_ARGS();<br />char </span>
<span style="COLOR: #000000">*</span>
</font>
<font size="2">
<span style="COLOR: #000000">old;<br /><br /></span>
<span style="COLOR: #0000ff">if</span>
<span style="COLOR: #000000"> (ac </span>
<span style="COLOR: #000000"><</span>
<span style="COLOR: #000000"> </span>
<span style="COLOR: #000000">0</span>
<span style="COLOR: #000000"> </span>
<span style="COLOR: #000000">||</span>
<span style="COLOR: #000000"> ac </span>
<span style="COLOR: #000000">></span>
<span style="COLOR: #000000"> </span>
<span style="COLOR: #000000">1</span>
<span style="COLOR: #000000"> </span>
<span style="COLOR: #000000">||</span>
<span style="COLOR: #000000"> zend_get_parameters_ex(ac</span>
<span style="COLOR: #000000">,</span>
<span style="COLOR: #000000"> </span>
<span style="COLOR: #000000">&</span>
<span style="COLOR: #000000">p_name) </span>
<span style="COLOR: #000000">==</span>
</font>
<font size="2">
<span style="COLOR: #000000"> FAILURE)<br />WRONG_PARAM_COUNT;<br /><br />old </span>
<span style="COLOR: #000000">=</span>
</font>
<font size="2">
<span style="COLOR: #000000"> estrdup(PS(save_path));<br /><br /></span>
<span style="COLOR: #0000ff">if</span>
<span style="COLOR: #000000"> (ac </span>
<span style="COLOR: #000000">==</span>
<span style="COLOR: #000000"> </span>
<span style="COLOR: #000000">1</span>
</font>
<font size="2">
<span style="COLOR: #000000">) {<br />convert_to_string_ex(p_name);<br />zend_alter_ini_entry(</span>
<span style="COLOR: #000000">"</span>
<span style="COLOR: #000000">session.save_path</span>
<span style="COLOR: #000000">"</span>
<span style="COLOR: #000000">,</span>
<span style="COLOR: #000000"> </span>
<span style="COLOR: #008080">sizeof</span>
<span style="COLOR: #000000">(</span>
<span style="COLOR: #000000">"</span>
<span style="COLOR: #000000">session.save_path</span>
<span style="COLOR: #000000">"</span>
<span style="COLOR: #000000">)</span>
<span style="COLOR: #000000">,</span>
</font>
<span style="COLOR: #000000">
<br />
<font size="2">Z_STRVAL_PP(p_name)</font>
</span>
<font size="2">
<span style="COLOR: #000000">,</span>
<span style="COLOR: #000000"> Z_STRLEN_PP(p_name)</span>
<span style="COLOR: #000000">,</span>
<span style="COLOR: #000000"> PHP_INI_USER</span>
<span style="COLOR: #000000">,</span>
</font>
<font size="2">
<span style="COLOR: #000000"> PHP_INI_STAGE_RUNTIME);<br />}<br /><br />RETVAL_STRING(old</span>
<span style="COLOR: #000000">,</span>
<span style="COLOR: #000000"> </span>
<span style="COLOR: #000000">0</span>
</font>
<span style="COLOR: #000000">
<font size="2">);<br />}<br /></font>
</span>
</div>
<font size="2">- -1477-1493--- Code from PHP520 ext/session/session.c [END]<br /><br />Values are set to hash_memory (but before that, safe_mode and open_basedir check this<br />value).<br />And if you are starting session (for example session_start()), that value from<br />session.save_path is checked by function PS_OPEN_FUNC(files).<br /><br />- -242-300--- Code from PHP520 ext/session/mod_files.c [START]<br /></font>
<div style="BORDER-RIGHT: #cccccc 1px solid; PADDING-RIGHT: 5px; BORDER-TOP: #cccccc 1px solid; PADDING-LEFT: 4px; FONT-SIZE: 13px; PADDING-BOTTOM: 4px; BORDER-LEFT: #cccccc 1px solid; WIDTH: 98%; WORD-BREAK: break-all; PADDING-TOP: 4px; BORDER-BOTTOM: #cccccc 1px solid; BACKGROUND-COLOR: #eeeeee">
<font size="2">
<span style="COLOR: #000000">PS_OPEN_FUNC(files)<br />{<br />ps_files </span>
<span style="COLOR: #000000">*</span>
</font>
<font size="2">
<span style="COLOR: #000000">data;<br /></span>
<span style="COLOR: #0000ff">const</span>
<span style="COLOR: #000000"> char </span>
<span style="COLOR: #000000">*</span>
<span style="COLOR: #000000">p</span>
<span style="COLOR: #000000">,</span>
<span style="COLOR: #000000"> </span>
<span style="COLOR: #000000">*</span>
</font>
<font size="2">
<span style="COLOR: #000000">last;<br /></span>
<span style="COLOR: #0000ff">const</span>
<span style="COLOR: #000000"> char </span>
<span style="COLOR: #000000">*</span>
<span style="COLOR: #000000">argv[</span>
<span style="COLOR: #000000">3</span>
</font>
<font size="2">
<span style="COLOR: #000000">];<br />int argc </span>
<span style="COLOR: #000000">=</span>
<span style="COLOR: #000000"> </span>
<span style="COLOR: #000000">0</span>
</font>
<font size="2">
<span style="COLOR: #000000">;<br />size_t dirdepth </span>
<span style="COLOR: #000000">=</span>
<span style="COLOR: #000000"> </span>
<span style="COLOR: #000000">0</span>
</font>
<font size="2">
<span style="COLOR: #000000">;<br />int filemode </span>
<span style="COLOR: #000000">=</span>
<span style="COLOR: #000000"> </span>
<span style="COLOR: #000000">0600</span>
</font>
<font size="2">
<span style="COLOR: #000000">;<br /><br /></span>
<span style="COLOR: #0000ff">if</span>
<span style="COLOR: #000000"> (</span>
<span style="COLOR: #000000">*</span>
<span style="COLOR: #000000">save_path </span>
<span style="COLOR: #000000">==</span>
<span style="COLOR: #000000"> </span>
<span style="COLOR: #000000">'</span>
<span style="COLOR: #000000">\0</span>
<span style="COLOR: #000000">'</span>
</font>
<font size="2">
<span style="COLOR: #000000">) {<br /></span>
<span style="COLOR: #008000">/*</span>
<span style="COLOR: #008000"> if save path is an empty string, determine the temporary dir </span>
<span style="COLOR: #008000">*/</span>
</font>
<span style="COLOR: #000000">
<br />
<font size="2">save_path </font>
</span>
<span style="COLOR: #000000">
<font size="2">=</font>
</span>
<font size="2">
<span style="COLOR: #000000"> php_get_temporary_directory();<br />}<br /><br /></span>
<span style="COLOR: #008000">/*</span>
<span style="COLOR: #008000"> split up input parameter </span>
<span style="COLOR: #008000">*/</span>
</font>
<span style="COLOR: #000000">
<br />
<font size="2">last </font>
</span>
<span style="COLOR: #000000">
<font size="2">=</font>
</span>
<font size="2">
<span style="COLOR: #000000"> save_path;<br />p </span>
<span style="COLOR: #000000">=</span>
<span style="COLOR: #000000"> </span>
<span style="COLOR: #008080">strchr</span>
<span style="COLOR: #000000">(save_path</span>
<span style="COLOR: #000000">,</span>
<span style="COLOR: #000000"> </span>
<span style="COLOR: #000000">'</span>
<span style="COLOR: #000000">;</span>
<span style="COLOR: #000000">'</span>
</font>
<font size="2">
<span style="COLOR: #000000">);<br /></span>
<span style="COLOR: #0000ff">while</span>
</font>
<font size="2">
<span style="COLOR: #000000"> (p) {<br />argv[argc</span>
<span style="COLOR: #000000">++</span>
<span style="COLOR: #000000">] </span>
<span style="COLOR: #000000">=</span>
</font>
<font size="2">
<span style="COLOR: #000000"> last;<br />last </span>
<span style="COLOR: #000000">=</span>
<span style="COLOR: #000000"> </span>
<span style="COLOR: #000000">++</span>
</font>
<font size="2">
<span style="COLOR: #000000">p;<br />p </span>
<span style="COLOR: #000000">=</span>
<span style="COLOR: #000000"> </span>
<span style="COLOR: #008080">strchr</span>
<span style="COLOR: #000000">(p</span>
<span style="COLOR: #000000">,</span>
<span style="COLOR: #000000"> </span>
<span style="COLOR: #000000">'</span>
<span style="COLOR: #000000">;</span>
<span style="COLOR: #000000">'</span>
</font>
<font size="2">
<span style="COLOR: #000000">);<br /></span>
<span style="COLOR: #0000ff">if</span>
<span style="COLOR: #000000"> (argc </span>
<span style="COLOR: #000000">></span>
<span style="COLOR: #000000"> </span>
<span style="COLOR: #000000">1</span>
<span style="COLOR: #000000">) </span>
<span style="COLOR: #0000ff">break</span>
</font>
<font size="2">
<span style="COLOR: #000000">;<br />}<br />argv[argc</span>
<span style="COLOR: #000000">++</span>
<span style="COLOR: #000000">] </span>
<span style="COLOR: #000000">=</span>
</font>
<font size="2">
<span style="COLOR: #000000"> last;<br /><br /></span>
<span style="COLOR: #0000ff">if</span>
<span style="COLOR: #000000"> (argc </span>
<span style="COLOR: #000000">></span>
<span style="COLOR: #000000"> </span>
<span style="COLOR: #000000">1</span>
</font>
<font size="2">
<span style="COLOR: #000000">) {<br />errno </span>
<span style="COLOR: #000000">=</span>
<span style="COLOR: #000000"> </span>
<span style="COLOR: #000000">0</span>
</font>
<font size="2">
<span style="COLOR: #000000">;<br />dirdepth </span>
<span style="COLOR: #000000">=</span>
<span style="COLOR: #000000"> (size_t) strtol(argv[</span>
<span style="COLOR: #000000">0</span>
<span style="COLOR: #000000">]</span>
<span style="COLOR: #000000">,</span>
<span style="COLOR: #000000"> </span>
<span style="COLOR: #0000ff">NULL</span>
<span style="COLOR: #000000">,</span>
<span style="COLOR: #000000"> </span>
<span style="COLOR: #000000">10</span>
</font>
<font size="2">
<span style="COLOR: #000000">);<br /></span>
<span style="COLOR: #0000ff">if</span>
<span style="COLOR: #000000"> (errno </span>
<span style="COLOR: #000000">==</span>
</font>
<font size="2">
<span style="COLOR: #000000"> ERANGE) {<br />php_error(</span>
<span style="COLOR: #ff00ff">E_WARNING</span>
<span style="COLOR: #000000">,</span>
</font>
<font size="2">
<span style="COLOR: #000000"> <br /></span>
<span style="COLOR: #000000">"</span>
<span style="COLOR: #000000">The first parameter in session.save_path is invalid</span>
<span style="COLOR: #000000">"</span>
</font>
<font size="2">
<span style="COLOR: #000000">);<br /></span>
<span style="COLOR: #0000ff">return</span>
</font>
<font size="2">
<span style="COLOR: #000000"> FAILURE;<br />}<br />}<br /><br /></span>
<span style="COLOR: #0000ff">if</span>
<span style="COLOR: #000000"> (argc </span>
<span style="COLOR: #000000">></span>
<span style="COLOR: #000000"> </span>
<span style="COLOR: #000000">2</span>
</font>
<font size="2">
<span style="COLOR: #000000">) {<br />errno </span>
<span style="COLOR: #000000">=</span>
<span style="COLOR: #000000"> </span>
<span style="COLOR: #000000">0</span>
</font>
<font size="2">
<span style="COLOR: #000000">;<br />filemode </span>
<span style="COLOR: #000000">=</span>
<span style="COLOR: #000000"> strtol(argv[</span>
<span style="COLOR: #000000">1</span>
<span style="COLOR: #000000">]</span>
<span style="COLOR: #000000">,</span>
<span style="COLOR: #000000"> </span>
<span style="COLOR: #0000ff">NULL</span>
<span style="COLOR: #000000">,</span>
<span style="COLOR: #000000"> </span>
<span style="COLOR: #000000">8</span>
</font>
<font size="2">
<span style="COLOR: #000000">);<br /></span>
<span style="COLOR: #0000ff">if</span>
<span style="COLOR: #000000"> (errno </span>
<span style="COLOR: #000000">==</span>
<span style="COLOR: #000000"> ERANGE </span>
<span style="COLOR: #000000">||</span>
<span style="COLOR: #000000"> filemode </span>
<span style="COLOR: #000000"><</span>
<span style="COLOR: #000000"> </span>
<span style="COLOR: #000000">0</span>
<span style="COLOR: #000000"> </span>
<span style="COLOR: #000000">||</span>
<span style="COLOR: #000000"> filemode </span>
<span style="COLOR: #000000">></span>
<span style="COLOR: #000000"> </span>
<span style="COLOR: #000000">07777</span>
</font>
<font size="2">
<span style="COLOR: #000000">) {<br />php_error(</span>
<span style="COLOR: #ff00ff">E_WARNING</span>
<span style="COLOR: #000000">,</span>
</font>
<font size="2">
<span style="COLOR: #000000"> <br /></span>
<span style="COLOR: #000000">"</span>
<span style="COLOR: #000000">The second parameter in session.save_path is invalid</span>
<span style="COLOR: #000000">"</span>
</font>
<font size="2">
<span style="COLOR: #000000">);<br /></span>
<span style="COLOR: #0000ff">return</span>
</font>
<font size="2">
<span style="COLOR: #000000"> FAILURE;<br />}<br />}<br />save_path </span>
<span style="COLOR: #000000">=</span>
<span style="COLOR: #000000"> argv[argc </span>
<span style="COLOR: #000000">-</span>
<span style="COLOR: #000000"> </span>
<span style="COLOR: #000000">1</span>
</font>
<font size="2">
<span style="COLOR: #000000">];<br /><br />data </span>
<span style="COLOR: #000000">=</span>
<span style="COLOR: #000000"> emalloc(</span>
<span style="COLOR: #008080">sizeof</span>
<span style="COLOR: #000000">(</span>
<span style="COLOR: #000000">*</span>
</font>
<font size="2">
<span style="COLOR: #000000">data));<br />memset(data</span>
<span style="COLOR: #000000">,</span>
<span style="COLOR: #000000"> </span>
<span style="COLOR: #000000">0</span>
<span style="COLOR: #000000">,</span>
<span style="COLOR: #000000"> </span>
<span style="COLOR: #008080">sizeof</span>
<span style="COLOR: #000000">(</span>
<span style="COLOR: #000000">*</span>
</font>
<font size="2">
<span style="COLOR: #000000">data));<br /><br />data</span>
<span style="COLOR: #000000">-></span>
<span style="COLOR: #000000">fd </span>
<span style="COLOR: #000000">=</span>
<span style="COLOR: #000000"> </span>
<span style="COLOR: #000000">-</span>
<span style="COLOR: #000000">1</span>
</font>
<font size="2">
<span style="COLOR: #000000">;<br />data</span>
<span style="COLOR: #000000">-></span>
<span style="COLOR: #000000">dirdepth </span>
<span style="COLOR: #000000">=</span>
</font>
<font size="2">
<span style="COLOR: #000000"> dirdepth;<br />data</span>
<span style="COLOR: #000000">-></span>
<span style="COLOR: #000000">filemode </span>
<span style="COLOR: #000000">=</span>
</font>
<font size="2">
<span style="COLOR: #000000"> filemode;<br />data</span>
<span style="COLOR: #000000">-></span>
<span style="COLOR: #000000">basedir_len </span>
<span style="COLOR: #000000">=</span>
<span style="COLOR: #000000"> </span>
<span style="COLOR: #008080">strlen</span>
</font>
<font size="2">
<span style="COLOR: #000000">(save_path);<br />data</span>
<span style="COLOR: #000000">-></span>
<span style="COLOR: #000000">basedir </span>
<span style="COLOR: #000000">=</span>
<span style="COLOR: #000000"> estrndup(save_path</span>
<span style="COLOR: #000000">,</span>
<span style="COLOR: #000000"> data</span>
<span style="COLOR: #000000">-></span>
</font>
<font size="2">
<span style="COLOR: #000000">basedir_len);<br /><br />PS_SET_MOD_DATA(data);<br /><br /></span>
<span style="COLOR: #0000ff">return</span>
</font>
<span style="COLOR: #000000">
<font size="2"> SUCCESS;<br />}<br /></font>
</span>
</div>
<font size="2">- -242-300--- Code from PHP520 ext/session/mod_files.c [END]<br /><br />Because in session.save_path there is a NULL byte before ";", strchr() doesn't see<br />";" and path is /DIR/WHERE/YOU/DONT/HAVE/ACCESS.<br /><br />Problem exists because safe_mode and open_basedir check what is after ;. And it is needed to<br />set correct path after ";".<br /><br />- --- 2. How to fix ---<br />http://cvs.php.net/viewcvs.cgi/php-src/NEWS<br /><br />- --- 3. Greets ---<br /><br />For: sp3x<br />and<br />l5x, p_e_a, lorddav, pi3<br /><br />- --- 4. Contact ---<br />Author: SecurityReason.Com [ Maksymilian Arciemowicz ( cXIb8O3 ) ]<br />Email: cxib [at] securityreason [dot] com<br />GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg<br /><br />Regards <br />SecurityReason<br /><br />-----BEGIN PGP SIGNATURE-----<br />Version: GnuPG v1.4.2.2 (FreeBSD)<br /><br />iD8DBQFFedKL3Ke13X/fTO4RAms1AKCTSc8CNZmHWhXvOdjtTBcIgdHTuwCgkvrz<br />9KnewH0rOVFfmPRx2f1x5W4=<br />=YAP9<br />-----END PGP SIGNATURE-----<br /><br /></font>
</div>
</tr>
</tbody>
</table>