php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #22368 safe mode on allows users to include (read) system files
Submitted: 2003-02-21 20:51 UTC Modified: 2003-02-22 14:10 UTC
From: phpspam at overclockersclub dot com Assigned:
Status: Not a bug Package: PHP options/info functions
PHP Version: 4.3.1 OS: Red Hat 7.2 Linux
Private report: No CVE-ID: None
 [2003-02-21 20:51 UTC] phpspam at overclockersclub dot com
Safe Mode appears to be on, it says its on for local and master via phpinfo() script. I can virtual include /etc/passwd and it will shows the contents of the file. However, "some" function appear to be blocked by safe mode.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-02-22 14:10 UTC] iliaa@php.net
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

Safemode prevents PHP from opening files owned by a user different from the one PHP is running as. If you /etc/passwd is owned by root and your PHP runs as root safe_mode will not stop PHP from opening the file.
 [2003-02-22 17:00 UTC] phpspam at youknow dot com
PHP is NOT ran by root in this case, and the /etc/passwd is owned by root.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Dec 26 16:01:31 2024 UTC