How come I can create a simple php-script like this..


<?
include ("$page");
?>


.. and then go to script.php?page=../../../../../../../etc/httpd/conf/httpd.conf and get the contents of the file in my web browser?

httpd.conf says User: httpd and Group: httpd. User httpd should not have access to httpd.conf (or any other system files). Or am I wrong?

I'm using a Cobalt RaQ3.

/j

That could be a bug in the system since the RaQ3 is not integrated with PHP. You could try changing the ownership of the httpd from user httpd to admin. This might prevent that from happening.

Make sure that the user the PHP script runs as or just the Apache user if you aren't using suEXEC (I think httpd as has been said before) doesn't have read permissions to httpd.conf.

Originally posted by batboy
How come I can create a simple php-script like this..


<?
include ("$page");
?>


.. and then go to script.php?page=../../../../../../../etc/httpd/conf/httpd.conf and get the contents of the file in my web browser?

httpd.conf says User: httpd and Group: httpd. User httpd should not have access to httpd.conf (or any other system files). Or am I wrong?
/j

That file is world-readable (chmod 644) so it can be read from any PHP script. This would be the case on any server with PHP configured the same way your install of PHP is configured so it's not a RaQ-specific problem. Use realpath() to prevent references to "../". I'd do as follows:

// $page is file supplied by user.
$allow_path = '/path_to/allowed_files/';
if ( ereg( "^$allow_path", realpath( $page ) )
{
echo "It's safe!";
}
else
{
echo "Danger!";
}

You might also want to consult the PHP manual about safe mode, doc_root and open_basedir which will limit files that can be accessed.

It's not a bug in the system.
Changing ownership of file will not help either.

You will need to remove read permissions for "others" if you want to disallow it:

chmod o-r /etc/httpd/conf/httpd.conf

But I would really suggest that you enable safe mode in your PHP configuration. That disallows PHP users from accessing anything else than their own stuff.

Originally posted by jks
But I would really suggest that you enable safe mode in your PHP configuration. That disallows PHP users from accessing anything else than their own stuff.

Is that in the php.ini file on PHP4?

Originally posted by webbcite


Is that in the php.ini file on PHP4?

Yep.

Thank you for your suggestions.

I added "open_basedir (http://www.php.net/manual/en/configuration.php#ini.open-basedir) = ." to php.ini, now the php-script can only include files from the directory in which the script is stored.

/j

Originally posted by batboy
Thank you for your suggestions.

I added "open_basedir (http://www.php.net/manual/en/configuration.php#ini.open-basedir) = ." to php.ini, now the php-script can only include files from the directory in which the script is stored.

/j

What about for Perl or C scripts? If the file is still readable, you are still vulnerable.

-t