The purpose of PHP's safe_mode option is to solve some of the problems described in this chapter. However, it is architecturally incorrect to solve this type of problem at the PHP level, as stated in the PHP manual (//m.sbmmt.com/).
When safe mode is in effect, PHP will check the owner of the file read (or operated) by the script being executed to ensure that it is the same as the owner of the script. While this does protect against many of the examples in this chapter, it does not affect programs written in other languages. For example, use a CGI script written in Bash:
#!/bin/bash echo "Content-Type: text/plain" echo "" cat /home/victim/inc/db.inc
Does the Bash parser care about or even check the configuration string in the PHP configuration file to turn on safe mode? of course not. Similarly, other languages supported by the server, such as Perl, Python, etc., will not care about this. All examples in this chapter can be easily adapted to other programming languages.
Another typical problem is that safe mode does not deny access to files belonging to the WEB server. This is because a script can be used to create another script, and the new script belongs to the WEB server, so it can access all files belonging to the WEB server:
<?php $filename = 'file.php'; $script = '<?php header(\'Content-Type: text/plain\'); readfile($_GET[\'file\']); ?>'; file_put_contents($filename, $script); ?>
## The above script creates the following file:
<?php header('Content-Type: text/plain'); readfile($_GET['file']); ?>
## Since the file was created by the Web server, its owner is the Web server (Apache is generally run as the nobody user):
Therefore, this script can bypass many of the security measures provided by safe mode. Even if safe mode is turned on, the attacker can still display some information such as session information saved in the /tmp directory because these files belong to the web server (nobody).
PHP's safe mode does play some role and can be considered a defense-in-depth mechanism. However, it provides only poor protection, and there are no other security measures in this chapter to replace it.
The above is the content of PHP security-security mode. For more related content, please pay attention to the PHP Chinese website (m.sbmmt.com)! $ ls file.php
-rw-r--r-- 1 nobody nobody 72 May 21 12:34
file.php