From: [EMAIL PROTECTED]
Operating system: Unix
PHP version: 4.1.0
PHP Bug Type: Unknown/Other Function
Bug description: exec()-like calls are done with webserver uid
When safe_mode is enabled, exec()-like calls are still done with the
webserver uid, letting users execute any server scripts owned by 'www' (for
example).
In the case that php_safe_dir = /usr/local/phpexec:
# chmod 700 /usr/local/phpexec
# chown www.www /usr/local/phpexec
inside i put the following sh script:
#!/bin/sh
#
echo `id`
Now i log in as user 'veins', make a php script with the following:
<? exec("/usr/local/phpexec/id.sh", $value, $return);
echo $value[0]; ?>
when i go to ~veins/id.php i get the following:
uid=67(www) gid=67(www) groups=67(www)
--
Edit bug report at: http://bugs.php.net/?id=14448&edit=1
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
