Chris,
I believe that is the reason that the PHP group came up with the open_basedir directive.
The open_basedir prevents you from looking into anything higher than a particular directory tree using PHP.
So, a combination of safe_mode and open_basedir should prevent your script from being able to walk the tree.
Is there some way to get around open_basedir ?
I didn't think there was, and if there is, then we better post that to the security guys at php, cause that's not good.
Yes, there are many scripts that assume no safe_mode, and therefor do not work. It usually means they are trying to do something a little more powerful with the filesystem, or system commands, and shared hosts don't want random system commands being run on the machines...;)
Am I saying its perfect ? No. I think it should be pretty safe though if implemented correctly.
Tim.
At 09:47 PM 9/25/2004, Chris Shiflett wrote:
--- Tim Traver <[EMAIL PROTECTED]> wrote: > I can guarantee that is not the way it is supposed to be. We > make sure that can't happen by running in Safe mode, using the > open_basedir directive, and making sure the directory tree has > the correct permissions so the situation you described cannot > happen.
The safe_mode and open_basedir directives are certainly no protection. I'm curious what sort of permissions you are using that prevents this scenario, since it seems impossible to me. If the legitimate developer can include code using include or require, it means the Web server must be able to read those files. The exception would be if you're running each user in a chroot jail or something, mimicking a dedicated environment.
> So, I'd say that your shared host is doing a poor job of > implementing PHP.
I used to think the same, but I've changed my mind, because:
1. safe_mode is no protection. 2. Many prepackaged PHP applications don't work with safe_mode enabled.
Hope that helps.
Chris
===== Chris Shiflett - http://shiflett.org/
PHP Security - O'Reilly Coming December 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
SimpleNet's Back ! http://www.simplenet.com
