ID: 17163
Updated by: [EMAIL PROTECTED]
Reported By: [EMAIL PROTECTED]
Status: Bogus
Bug Type: Scripting Engine problem
Operating System: Linux 2.4.18
PHP Version: 4.2.0
New Comment:
Just to follow up on this because I can already see your mind working
on how this might be exploited through a script making a copy of itself
and now having the web server user id as its owner. The theory is that
the web server user id does not own any system critical directories and
user directories are supposed to be owned by individual users so the
only potential for an exploit would be a cloned script renaming
something in a directory created by another user through a web
interface, but that is a bit of a tradeoff I made on purpose way back
when.
Previous Comments:
------------------------------------------------------------------------
[2002-05-12 11:18:03] [EMAIL PROTECTED]
Actually, we allow a rename in a directory if that directory is owned
by the same user id as the running script. So this one is not a bug.
Verify this statement and re-open if you find that this is not the
case.
------------------------------------------------------------------------
[2002-05-12 11:00:06] [EMAIL PROTECTED]
rename() function can be used to rename files a user has no access to
according to safe_mode.
Ex.
touch test
<?php rename('test', 'test2'); ?>
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=17163&edit=1
