ID: 13207 Comment by: etng at zju dot edu dot cn Reported By: jedi at tstonramp dot com Status: Bogus Bug Type: IIS related Operating System: NT 4.0 PHP Version: 4.0.6 New Comment:
I'am use PHP/4.3.5-dev under windows server2003(build3790) with Apache/2.0.45. I want to make my computer do as a server for my classmate to publish their websites use the pattern ~/username. so i create a dir named pws in drive G:\.And then add a test username as test and make a dir public_html unser it. And i have set the httpd.conf of Apache right,when I visit http://localhost:8080//~test/opendir.php I found it is too dangerous to do that if someone try to hack me. the sourcecode of the opendir.php is like this: <?php $handle=opendir('../../anotherusersdir/public_html/'); echo "Ŀ¼ handle: $handle\n"; echo "µµ°¸:\n"; while ($file = readdir($handle)) { echo "$file\n<br>"; } closedir($handle); ?> Is there something wrong whith the paramiter open_basedir in my php.ini file? in that section,i set like this: ; open_basedir, if set, limits all file operations to the defined directory ; and below. This directive makes most sense if used in a per-directory ; or per-virtualhost web server configuration file. This directive is ; *NOT* affected by whether Safe Mode is turned On or Off. open_basedir =G:\PWS\*\public_html;E:\QSC ~~~~~ user_dir; ~~~apache docroot so how can I make it more safe? please tell me ,3x. C:\Documents and Settings\Administrator>apache -V Server version: Server built: Apr 1 2003 09:24:16 Server's Module Magic Number: 20020903:0 Architecture: 32-bit Server compiled with.... -D APACHE_MPM_DIR="server/mpm/winnt" -D APR_HAS_SENDFILE -D APR_HAS_MMAP -D APR_HAS_OTHER_CHILD -D AP_HAVE_RELIABLE_PIPED_LOGS -D HTTPD_ROOT="/apache" -D SUEXEC_BIN="/apache/bin/suexec" -D DEFAULT_SCOREBOARD="logs/apache_runtime_status" -D DEFAULT_ERRORLOG="logs/error.log" -D AP_TYPES_CONFIG_FILE="conf/mime.types" -D SERVER_CONFIG_FILE="conf/httpd.conf" Previous Comments: ------------------------------------------------------------------------ [2002-06-03 12:16:18] [EMAIL PROTECTED] Thank you for taking the time to report a problem with PHP. Unfortunately your version of PHP is too old -- the problem might already be fixed. Please download a new PHP version from http://www.php.net/downloads.php If you are able to reproduce the bug with one of the latest versions of PHP, please change the PHP version on this bug report to the version you tested and change the status back to "Open". Again, thank you for your continued support of PHP. ------------------------------------------------------------------------ [2001-12-02 04:47:36] [EMAIL PROTECTED] Reproduced with 4.1.0RC4 on Windows 2000 with Apache 1.3.22! Is this a bug or non-documented behaviour??? ------------------------------------------------------------------------ [2001-11-11 12:20:29] [EMAIL PROTECTED] Try using a slahs (/) or a double backslash (\\) instead of a single backslash. Does that work? ------------------------------------------------------------------------ [2001-09-10 02:20:12] jedi at tstonramp dot com Unless there is some other configuration I'm not aware of, I mentioned in the bug report that I have open_basedir enabled in that it says C:\inetpub as my open_basedir value when I do phpinfo() If there's something wrong with the path format, I guess I could understand that, although I've seen other Win-style path formats in phpinfo that take the same format. ------------------------------------------------------------------------ [2001-09-07 21:25:52] [EMAIL PROTECTED] You don't have open_basedir enabled. The error message from an open_basedir restriction is not "permission denied". Does your phpinfo() output tell you that open_basedir is in effect? ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/13207 -- Edit this bug report at http://bugs.php.net/?id=13207&edit=1
