From: [EMAIL PROTECTED] Operating system: Unix PHP version: 4.1.0 PHP Bug Type: Unknown/Other Function Bug description: exec()-like calls are done with webserver uid
When safe_mode is enabled, exec()-like calls are still done with the webserver uid, letting users execute any server scripts owned by 'www' (for example). In the case that php_safe_dir = /usr/local/phpexec: # chmod 700 /usr/local/phpexec # chown www.www /usr/local/phpexec inside i put the following sh script: #!/bin/sh # echo `id` Now i log in as user 'veins', make a php script with the following: <? exec("/usr/local/phpexec/id.sh", $value, $return); echo $value[0]; ?> when i go to ~veins/id.php i get the following: uid=67(www) gid=67(www) groups=67(www) -- Edit bug report at: http://bugs.php.net/?id=14448&edit=1 -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]