ID: 16108 Updated by: [EMAIL PROTECTED] Reported By: [EMAIL PROTECTED] -Status: Open +Status: Bogus Bug Type: *Web Server problem Operating System: *unix PHP Version: 4.1.2 New Comment:
This is not a bug. Please double-check the documentation available at http://www.php.net/manual/ and the instructions on how to report a bug at http://bugs.php.net/how-to-report.php Previous Comments: ------------------------------------------------------------------------ [2002-03-15 16:38:38] [EMAIL PROTECTED] Hi! My name is Leandro, and I've been doing some PHP tests as I could. The problem is: When I execute the command ``, I'm able to do any shell command that the HTTP user has right. Ok! Everybody know. But I could copy the /etc/passwd and I did other things like: cp, mv, rm, mkdir, cat, netstat, ps... Well, as you can see, I'm able to know as much things as I want, like: which plataform, software, local network, aliases, sendmail conf, apache conf, bind, copy the *.PHP, *.JSP, *.ASP ... files and the server won't interprete it "I can copy their code", run software puted in the server by me, ... eg. echo (`cat /etc/passwd`); echo (`ps ax`); echo (`netstat -an`); `cp /etc/named.conf /my/web/dir/named.conf´; `cp /your/web/dir/addcart.php /my/web/dir`; echo (`cat /your/web/dir/login.php /my/web/dir`); Well, how seen before, I'm able to know what I want about the server I am in. I think it's a terrible problem. I'm horried abault it. Best regards. Leandro Sousa de Carvalho web developer - RJ - Brazil ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=16108&edit=1
