From: [EMAIL PROTECTED] Operating system: Solaris 8 PHP version: 4.0.6 PHP Bug Type: Scripting Engine problem Bug description: safe mode owner check can be bypassed with symlink php_checkuid() [ main/safe_mode.c:46 ] first checks the ownership of the file you are trying to open against the ownership of the executing script. if that check fails, it checks the ownership of the directory containing the file you are trying to open. the second part never calls VCWD_REALPATH() on the filename before trimming it to get the working directory. thus it is simple to bypass safe mode restrictions. in a directory you own, create a symlink to say /etc/passwd then include that symlink in a file you own. eg: $ cd $HOME/public_html $ ln -s /etc/passwd symlink $ echo '<pre><?php include "symlink"; ?></pre>' > passwd.php I have a patch (almost) prepared that calls VCWD_REALPATH() on the destination, then trims the filename in order to get directory permissions. -- Edit bug report at: http://bugs.php.net/?id=12119&edit=1 -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
