On So, Jun 06, 2004 at 02:36:13 +0200, Robert Hensel <[EMAIL PROTECTED]> wrote: > Hi, > > I came upon a strange problem when trying to list directory's in safe > mode as a normal user. Of course I expected this not to work, because > safe_mode disables the possibility of reading files that not belong to > the owner of the PHP-file. However, it does not seem to check for > directory ownerships. (debian stable, PHP4.1.2). PHP does give a warning > about safe_mode (as seen below) but then nicely lists the directory :( > This means any user can just browse through any dir. on my system. PHP > obviously still obeys UNIX file permissions so i could tighten up those, > and enable basedir restrictions and stuff, but it looks to me that this > is just a (major) bug ?
Hello, it is widely known that safe_mode is not really safe. You might want to restrict access with open_basedir . The most secure solution is still to install php's cgi executable in an suexec environment.
