lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 17 Jul 2003 10:08:08 +0200 From: Michal Krause <michal@...use.cz> To: bugtraq@...urityfocus.com Subject: Re: PHP safe mode broken? On 16/07/2003, Michal Krause wrote: > Hi, > > I think there is a bug in PHP safe mode handling from version 4.3.0 > till now. I forgot to provide straight information how to fix this bug until there will be an official patch. I hope it was clear from my previous email, but if not, there is one of possible solutions: find function php_check_safe_mode_include_dir in file main/fopen_wrappers.c and change its last statement from return 0; to return -1; (you can find it at line 253 in PHP version 4.3.2). Then recompile PHP, install it and restart web server. To test it, create simple PHP script owned by some regular user, which will try to include /etc/passwd for example. <? echo("trying to read /etc/passwd"); include("/etc/passwd"); ?> This script should fail on safe mode error (when safe mode is enabled, of course). Best regards Michal Krause
Powered by blists - more mailing lists