From: michele at micheleschiavo dot it Operating system: linux PHP version: 5.2.6 PHP Bug Type: Safe Mode/open_basedir Bug description: open_basedir can be by-pass from "PatriotCracker C99Shell" (defined as virus)
Description: ------------ i set open_basedir "/var/www/ "in php.ini and if i try fopen /etc/passwd, php report the warning and not open /etc/passwd, but the "malware" script can read /etc/passwd. Expected result: ---------------- open_basedir will work -- Edit bug report at http://bugs.php.net/?id=46079&edit=1 -- Try a CVS snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=46079&r=trysnapshot52 Try a CVS snapshot (PHP 5.3): http://bugs.php.net/fix.php?id=46079&r=trysnapshot53 Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=46079&r=trysnapshot60 Fixed in CVS: http://bugs.php.net/fix.php?id=46079&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=46079&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=46079&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=46079&r=needscript Try newer version: http://bugs.php.net/fix.php?id=46079&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=46079&r=support Expected behavior: http://bugs.php.net/fix.php?id=46079&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=46079&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=46079&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=46079&r=globals PHP 4 support discontinued: http://bugs.php.net/fix.php?id=46079&r=php4 Daylight Savings: http://bugs.php.net/fix.php?id=46079&r=dst IIS Stability: http://bugs.php.net/fix.php?id=46079&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=46079&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=46079&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=46079&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=46079&r=mysqlcfg
