php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #19709 safe_mode bypass from uploaded script
Submitted: 2002-10-02 04:07 UTC Modified: 2002-10-02 08:00 UTC
From: davidegiunchi at libero dot it Assigned:
Status: Not a bug Package: Filesystem function related
PHP Version: 4.2.2 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: davidegiunchi at libero dot it
New email:
PHP Version: OS:

 

 [2002-10-02 04:07 UTC] davidegiunchi at libero dot it 
I'm using php as Apache module in an hosting environment with safe_mode On.
Every user transfer their script via FTP so every script has his own
UID and the php execution can be safe (it cannot access to files of other domains),
but if somebody upload a php script (via upload or via a script create by another
php script) this script get owner and group nobody:nobody (nobody is the apache
users).
So if somebody upload a malicious script that try to open
the script owned by nobody (this uploaded or installed by php too) 
of another users he get successful.
Is this normal or it's a "bug" ?

I've noticed this because a lot of users use phpnuke/postnuke
so their configuration files are store in .php.inc files that
are owned by nobody, if another users know this could read other's
files and password.

Regards.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-10-02 08:00 UTC] iliaa@php.net 
Sorry, but the bug system is not the appropriate forum for asking
support questions. Your problem does not imply a bug in PHP itself.
For a list of more appropriate places to ask for help using PHP,
please visit http://www.php.net/support.php

Thank you for your interest in PHP.

That's why you should setup open_basedir for each user (virtual host) that prevents users from opening files that are otuside of their home/web directory.
The uploaded files via PHP will always be owned by the webserver, there is no way to avoid this unless you use PHP as cgi.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri Apr 26 08:01:30 2024 UTC