Tim.
At 09:47 PM 9/25/2004, Chris Shiflett wrote:
--- Tim Traver <[EMAIL PROTECTED]> wrote: > I can guarantee that is not the way it is supposed to be. We > make sure that can't happen by running in Safe mode, using the > open_basedir directive, and making sure the directory tree has > the correct permissions so the situation you described cannot > happen.
The safe_mode and open_basedir directives are certainly no protection. I'm curious what sort of permissions you are using that prevents this scenario, since it seems impossible to me. If the legitimate developer can include code using include or require, it means the Web server must be able to read those files. The exception would be if you're running each user in a chroot jail or something, mimicking a dedicated environment.
> So, I'd say that your shared host is doing a poor job of > implementing PHP.
I used to think the same, but I've changed my mind, because:
1. safe_mode is no protection. 2. Many prepackaged PHP applications don't work with safe_mode enabled.
Hope that helps.
Chris
===== Chris Shiflett - http://shiflett.org/
PHP Security - O'Reilly Coming December 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/
SimpleNet's Back ! http://www.simplenet.com
