Assuming a PHP5/Apache2 web server has been setup with the following line in the [login to view URL]: disable_functions = readfile, fpassthru, file, file_get_contents, system, fopen, symlink, rename, copy, exec, passthru, pcntl_exec, backtick_operator, shell_exec, popen, proc_open Tell me a way in which any untrusted PHP scripts running on this server can retrieve and display the contents of an arbitrary file on the server. Hypothetical answers will not be accepted. An actual exploit script will need to be uploaded to RAC. You'll need to setup your own server for experimentation & research. In your setup you should set the [login to view URL] as shown above, and create a userid e.g. "hacker" who will be trying to gain access to files owned by other users, including files that are public-read, e.g. chmod 644. If the hacker can retrieve the full contents of any such file, you have a successful attack. include/require don't count - These functions do not allow anyone to retrieve and display anything, just execute it and throw errors (unless it's valid PHP). MySQL exploits - assume the mysql userid does not have access to any interesting parts of the filesystem. So, LOAD DATA INFILE won't work. ***BONUS***: An additional 100% of your Bid amount will also be paid, if you can provide a solution on how to close any security hole that you find. **** RENTACODER REQUIRED STATEMENT FOR SECURITY ASSESSMENT PROJECTS **** The purpose of the project is to find out if my [login to view URL] is sufficiently secure and my ultimate purpose is to fully secure my server without any vulnerabilities. I attest on penalty of perjury that this project (and the results of it) will not be used in any way whatsoever that would violate any U.S. law. If you bid on this project, you must also add ‘I attest on penalty of perjury that I will only use the results of this project on my own systems or systems where the owner has authorized me fully to use it.’
## Deliverables
1) Complete and fully-functional working program(s) in executable form as well as complete source code of all work done.
2) Deliverables must be in ready-to-run condition, as follows (depending on the nature of the deliverables):
a) For web sites or other server-side deliverables intended to only ever exist in one place in the Buyer's environment--Deliverables must be installed by the Seller in ready-to-run condition in the Buyer's environment.
b) For all others including desktop software or software the buyer intends to distribute: A software installation package that will install the software in ready-to-run condition on the platform(s) specified in this bid request.
3) All deliverables will be considered "work made for hire" under U.S. Copyright law. Buyer will receive exclusive and complete copyrights to all work purchased. (No GPL, GNU, 3rd party components, etc. unless all copyright ramifications are explained AND AGREED TO by the buyer on the site per the coder's Seller Legal Agreement).
* * *This broadcast message was sent to all bidders on Wednesday Jul 16, 2008 9:45:47 AM:
***IMPORTANT*** The requirements for this project have changed a few times. If you had seen this project previously, please re-read the requirements and update your bid.
## Platform
Apache2/PHP5 on Ubuntu 6.10, configured using apt-get install. This is a standard Ubuntu setup with Apache2 running under the www-data userid.