From: [EMAIL PROTECTED] Operating system: Win2K PHP version: 4.1.2 PHP Bug Type: Directory function related Bug description: Displaying the file system
A client has posted us the following code, after being able to view to complete filesystem on a Windows 2000 server we resell space on: ---------------------------------------------------- <? // get directory handle $hook = dir("c:winnt"); // display location echo "<b>Current path is $hook->path</b><br>"; // read directory and echo list while ($file=$hook->read()) { if ($file != "." && $file != "..") { echo "$file<br>"; } } // close directory $hook->close(); ?> ---------------------------------------------------- Is there anyway to protect against this, and does it represent a security flaw? Thanks Gary -- Edit bug report at http://bugs.php.net/?id=15852&edit=1 -- Fixed in CVS: http://bugs.php.net/fix.php?id=15852&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=15852&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=15852&r=needtrace Try newer version: http://bugs.php.net/fix.php?id=15852&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=15852&r=support Expected behavior: http://bugs.php.net/fix.php?id=15852&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=15852&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=15852&r=submittedtwice