Comment 9 for bug 11223

Hi!

On Wed, 22 Dec 2004 21:24:31 +0100, Florian Weimer <email address hidden> wrote:

> > You can only exploit the bug for which you provided a backport (didn't
> > the patch apply well?) if you write a malicious php script.

There was no official patch, only the diff I extracted from PHP 4.3
CVS, and it did not apply well but the changes to make it apply again
were trivial.

> > That's not an issue. You can do more with a malicious php script
> > with less effort.

It is not remotely exploitable, unless a script writer uses user input
for pack()/unpack() functions (unlikely).

> Unfortunately, PHP provides a feature called "safe mode". When turned
> on, PHP makes the promise that PHP scripts are sandboxed. pack() and
> unpack() are probably available in safe mode, too. (I haven't checked
> this. Hans?)

According to http://www.hardened-php.net/advisories/012004.txt you are
correct. So a PHP script writer can exploit this hole on a machine
running PHP in safe-mode to gain priviledges of the user running
apache. So it is a hole allowing local priviledge-elevation for PHP
installations running in safe mode.

Hans
--
Hans Kratz