ID: 13261 User updated by: [EMAIL PROTECTED] Reported By: [EMAIL PROTECTED] Status: Open Bug Type: Feature/Change Request Operating System: Any PHP Version: 4.0.6 New Comment: Just to clarify, a method of specifying open_basedir dynamically would be nice. Sorry I didn't make that clear first time. Previous Comments: ------------------------------------------------------------------------ [2001-09-12 05:21:11] [EMAIL PROTECTED] echo `ls /home`; In a virtual host situation, this is very dangerous. On my own host - as an experiment - I was able to bring back a directory listing of any other site on the same box. I then did an fread() on his database abstraction script and read the passwords for his database. Then I logged into his MySQL database and was free to mess with his site. It would be EXTREMELY useful to be able to limit the scope of the filesystem functions so they can only read files inside $DOCUMENT_ROOT. Although that wouldn't stop me from typing `cat /home/user/www/database.php`; and getting the same data. This really needs addressing, guys! ------------------------------------------------------------------------ Edit this bug report at http://bugs.php.net/?id=13261&edit=1 -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
