ID: 36297 Updated by: [EMAIL PROTECTED] Reported By: smartgenius1 at yahoo dot com -Status: Closed +Status: Bogus Bug Type: Safe Mode/open_basedir Operating System: Windows PHP Version: 5.1.2
Previous Comments: ------------------------------------------------------------------------ [2006-02-05 22:02:13] smartgenius1 at yahoo dot com Aaah ok. I see "The special value . indicates that the working directory of the script will be used as the base-directory. This is, however, a little dangerous as the working directory of the script can easily be changed with chdir()." I am very sorry if I seemed to cause any problems. I have looked at that before; but just overlooked that. Mistake. Sorry again Closed ------------------------------------------------------------------------ [2006-02-05 22:00:29] [EMAIL PROTECTED] "The restriction specified with open_basedir is actually a prefix, not a directory name." (c) ------------------------------------------------------------------------ [2006-02-05 21:54:25] judas dot iscariote at gmail dot com smartgenius1: can you RTFM please ? http://php.net/manual/en/features.safe-mode.php#ini.open-basedir you **should** use absolute paths ¡¡¡ i.e open_basedir = /path/to/your/data/ ------------------------------------------------------------------------ [2006-02-05 21:33:27] smartgenius1 at yahoo dot com Ah well. The least you guys should do is put up a warning on the chdir() page that Windows does not have UIDs. ------------------------------------------------------------------------ [2006-02-05 21:26:04] smartgenius1 at yahoo dot com This bug is NOT bogus. The support here will just not take the time to read what I am trying to say. chdir() should check the open_basedir restriction. It doesnt. I was able to get into my friends computer, because he believed that the open_basedir restriction and safe_mode would prevent people from accessing his files. This function did not follow the open_basedir restriction and let me get into his system files. Anybody that is thinking about hosting or letting other people use PHP on their windows computer... they need to know about this. This is not a bogus bug. This is a very critical bug; but nobody will take the time to read through it. I guess its OK that tons of windows users trust the open_basedir restriction enough to think that this type of thing cannot happen. Boy wont they be in a surprise when somebody uses this exploit and erases their entire computer. Good day. ~Sean ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/36297 -- Edit this bug report at http://bugs.php.net/?id=36297&edit=1
