 |
 |
 |
 |
|
|
Date: 05/09/00
- Next message: macro <email protected>: "[PHP-DEV] PHP 4.0 Bug #4368: Compile thttpd server api error"
- Previous message: jordi79 <email protected>: "[PHP-DEV] PHP 4.0 Bug #4366: PHP4 just doesn't integrate /w PWS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
From: alex <email protected>
Operating system: FreeBSD 3.4-RELEASE
PHP version: 3.0.16
PHP Bug Type: Other
Bug description: read source code of ANY file on the server
ok mysql.php3 is in /home/httpd/htdocs/
and show_source.php3 is in /home/mystik/public_html/
here's a sample script that the user "mystik" created:
<?
print("<pre>");
system("cat /home/httpd/htdocs/mysql.php3");
print("</pre>");
?>
Obviously you can see what that does. Is there a way to configure apache or the php3.ini file to make it impossible for the user to access that specific file ?
I read the security section in the manual and i saw something about user_dir and doc_root. It's not too clear on how to set the, etc.
Please look into this.
Regards
-- PHP Development Mailing List <http://www.php.net/> To unsubscribe, e-mail: php-dev-unsubscribe <email protected> For additional commands, e-mail: php-dev-help <email protected> To contact the list administrators, e-mail: php-list-admin <email protected>
- Next message: macro <email protected>: "[PHP-DEV] PHP 4.0 Bug #4368: Compile thttpd server api error"
- Previous message: jordi79 <email protected>: "[PHP-DEV] PHP 4.0 Bug #4366: PHP4 just doesn't integrate /w PWS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]