PHP :: Bug #4367 :: read source code of ANY file on the server

Bug #4367	read source code of ANY file on the server
Submitted:	2000-05-09 21:24 UTC	Modified:	2000-05-21 17:12 UTC
From:	alex at twoteeth dot net	Assigned:
Status:	Closed	Package:	Other
PHP Version:	3.0.16	OS:	FreeBSD 3.4-RELEASE
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

[2000-05-09 21:24 UTC] alex at twoteeth dot net

ok mysql.php3 is in /home/httpd/htdocs/
and show_source.php3 is in /home/mystik/public_html/
here's a sample script that the user "mystik" created:
<?
print("<pre>");
system("cat /home/httpd/htdocs/mysql.php3");
print("</pre>");
?>

Obviously you can see what that does. Is there a way to configure apache or the php3.ini file to make it impossible for the user to access that specific file ?
I read the security section in the manual and i saw something about user_dir and doc_root. It's not too clear on how to set the, etc.
Please look into this.
Regards

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2000-05-21 17:12 UTC] jimw at cvs dot php dot net

read up on safe_mode.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Mon May 06 05:01:31 2024 UTC