Web Hosting Talk






PDA

View Full Version : php include... security risk?

iago
01-17-2003, 07:53 PM
How can i avoid users to view other users files using the "include" tag of php?

Does php_safemode do this? What are the disadvantages of turning safemode on?

Is there another workaround to prevent this? Because this is a security risk. Any user can access other files even if they are owned by other user/group and chmoded to just read access by the owner. Also i have found that many php programs will not work with php safemode on, is this true?

I think the same thing could be posible with perl.

Regards
2host.com
01-18-2003, 07:37 AM
Originally posted by iago
How can i avoid users to view other users files using the "include" tag of php?

Does php_safemode do this? What are the disadvantages of turning safemode on?

Is there another workaround to prevent this? Because this is a security risk. Any user can access other files even if they are owned by other user/group and chmoded to just read access by the owner. Also i have found that many php programs will not work with php safemode on, is this true?

I think the same thing could be posible with perl.

Regards

If a user has their file owned to only allow their own user permission to read the file, then PHP won't be able to access it, especially from another user. In fact, PHP couldn't run it (not unless you run PHP as CGI).

If you can set a users file to allow the user read permission and have group and world be 0 (zero) and PHP can access that file, then there's something seriously wrong with your PHP installation or your web server must be running as root or something!
iago
01-18-2003, 03:49 PM
I think permissions are set ok, in fact if i try to access the same file from the browser, i get an error (because of the permissions)

The webserver is running as nobody. The files have correct permissions and ownerships (user.user).

I think this is a php issue. I was searching and found it can be solved by turning on the safemode option. By doing this other users will not be able to include or use other users files.

Im using modernbill and one of its requirements is to have safemode off. Could this be a problem if i turn this option to on?Or how can i set safemode on and just have it off for the account that runs modernbill?

Thanks for your reply! :)