ID: 17163 Updated by: [EMAIL PROTECTED] Reported By: [EMAIL PROTECTED] -Status: Open +Status: Bogus Bug Type: Scripting Engine problem Operating System: Linux 2.4.18 PHP Version: 4.2.0 New Comment:
Perhaps I didn't explain it well. Safe-mode also checks the directory that a.php is in. If the owner of a.php matches the owner of '.' then the rename is allowed. Previous Comments: ------------------------------------------------------------------------ [2002-05-12 11:39:43] [EMAIL PROTECTED] mkdir test; ls -ld test drwxr-xr-x 2 forum forum 4096 May 12 11:33 test ls -l a.php -rw-rw-rw- 1 www www 44 May 12 10:57 a.php a.php: <?php rename('test', 'test3'); ?> Script runs without errors, end result: ls -ld test3 drwxr-xr-x 2 forum forum 4096 May 12 11:35 test3 It works with files as well as directories. ------------------------------------------------------------------------ [2002-05-12 11:38:37] [EMAIL PROTECTED] mkdir test; ls -ld test drwxr-xr-x 2 forum forum 4096 May 12 11:33 test ls -l a.php -rw-rw-rw- 1 www www 44 May 12 10:57 a.php a.php: <?php rename('test', 'test3'); ?> Script runs without errors, end result: ls -ld test3 drwxr-xr-x 2 forum forum 4096 May 12 11:35 test3 ------------------------------------------------------------------------ [2002-05-12 11:22:27] [EMAIL PROTECTED] Just to follow up on this because I can already see your mind working on how this might be exploited through a script making a copy of itself and now having the web server user id as its owner. The theory is that the web server user id does not own any system critical directories and user directories are supposed to be owned by individual users so the only potential for an exploit would be a cloned script renaming something in a directory created by another user through a web interface, but that is a bit of a tradeoff I made on purpose way back when. ------------------------------------------------------------------------ [2002-05-12 11:18:03] [EMAIL PROTECTED] Actually, we allow a rename in a directory if that directory is owned by the same user id as the running script. So this one is not a bug. Verify this statement and re-open if you find that this is not the case. ------------------------------------------------------------------------ [2002-05-12 11:00:06] [EMAIL PROTECTED] rename() function can be used to rename files a user has no access to according to safe_mode. Ex. touch test <?php rename('test', 'test2'); ?> ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=17163&edit=1