From: [EMAIL PROTECTED] Operating system: Linux PHP version: 4.2.2 PHP Bug Type: Filesystem function related Bug description: safe_mode bypass from uploaded script
I'm using php as Apache module in an hosting environment with safe_mode On. Every user transfer their script via FTP so every script has his own UID and the php execution can be safe (it cannot access to files of other domains), but if somebody upload a php script (via upload or via a script create by another php script) this script get owner and group nobody:nobody (nobody is the apache users). So if somebody upload a malicious script that try to open the script owned by nobody (this uploaded or installed by php too) of another users he get successful. Is this normal or it's a "bug" ? I've noticed this because a lot of users use phpnuke/postnuke so their configuration files are store in .php.inc files that are owned by nobody, if another users know this could read other's files and password. Regards. -- Edit bug report at http://bugs.php.net/?id=19709&edit=1 -- Try a CVS snapshot: http://bugs.php.net/fix.php?id=19709&r=trysnapshot Fixed in CVS: http://bugs.php.net/fix.php?id=19709&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=19709&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=19709&r=needtrace Try newer version: http://bugs.php.net/fix.php?id=19709&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=19709&r=support Expected behavior: http://bugs.php.net/fix.php?id=19709&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=19709&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=19709&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=19709&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=19709&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=19709&r=dst
