07-18-2007, 01:55 PM
|
|
WHT Addict
|
|
Join Date: Jun 2007
Posts: 118
|
|
Disabling fopen("/etc/passwd","r");
Hello,
I were seeing c99.php source code to know how it gets /etc/passwd file. it simply uses fopen() for this goal but I think fopen() is needed and I don't like it to be disabled in disabled_functions. I wonder how can I disable just fopen("/etc/passwd","r"); without doing any restriction to fopen function at all
any idea will be appreciated
Best Regards.
|
07-18-2007, 02:01 PM
|
|
Engineer
|
|
Join Date: Jan 2005
Location: Scotland, UK
Posts: 2,380
|
|
Theres no easy method to do this, infact to stop it opening that file specfically you would need to edit the php source.
That will will always be readable by all users on the system, theres nothing really bad about reading it.
The most effective way is going to be to use openbase_dir.
__________________
Server Management - AdminGeekZ.com
Infrastructure Management, Web Application Performance, mySQL DBA. Keep your servers online.
United Kingdom: *0800 8620073* // United States: *585 563 1729* // Australia: *02 9037 2448* // International: *+44.1412800134*
Scott Mcintyre
|
07-18-2007, 02:12 PM
|
|
Web Hosting Master
|
|
Join Date: May 2006
Posts: 646
|
|
Make sure that you have the entry open_basedir = "/home:/tmp:/usr" in your php.ini. See if it helps
|
07-18-2007, 02:14 PM
|
|
WHT Addict
|
|
Join Date: Jun 2007
Posts: 118
|
|
open_basedir is enabled and has been set to /home:/tmp, I think open_basedir has no restriction to do with fopen().
you're right, there's nothing bad about reading passwd because the passwords will be saved as shadow in most servers but it could reveal user's home directory and etc . anyway, Thank you for your help
|
07-18-2007, 02:16 PM
|
|
WHT Addict
|
|
Join Date: Jun 2007
Posts: 118
|
|
Dear sparksupport, I've already set open_basedir to /home:/tmp
|
07-18-2007, 02:16 PM
|
|
Engineer
|
|
Join Date: Jan 2005
Location: Scotland, UK
Posts: 2,380
|
|
Quote:
Originally Posted by b3nz
open_basedir is enabled and has been set to /home:/tmp, I think open_basedir has no restriction to do with fopen().
you're right, there's nothing bad about reading passwd because the passwords will be saved as shadow in most servers but it could reveal user's home directory and etc . anyway, Thank you for your help
|
If you define openbase_dir within the users virtualhost then yes it will have an effect because they will be unable to read anything outside of the path you specify.
__________________
Server Management - AdminGeekZ.com
Infrastructure Management, Web Application Performance, mySQL DBA. Keep your servers online.
United Kingdom: *0800 8620073* // United States: *585 563 1729* // Australia: *02 9037 2448* // International: *+44.1412800134*
Scott Mcintyre
|
07-18-2007, 02:23 PM
|
|
WHT Addict
|
|
Join Date: Jun 2007
Posts: 118
|
|
So why passwd is still readable for c99 ? That's why I got confused
|
07-18-2007, 02:25 PM
|
|
Engineer
|
|
Join Date: Jan 2005
Location: Scotland, UK
Posts: 2,380
|
|
Show me the openbase_dir entry for that virtualhost.
__________________
Server Management - AdminGeekZ.com
Infrastructure Management, Web Application Performance, mySQL DBA. Keep your servers online.
United Kingdom: *0800 8620073* // United States: *585 563 1729* // Australia: *02 9037 2448* // International: *+44.1412800134*
Scott Mcintyre
|
07-18-2007, 02:32 PM
|
|
WHT Addict
|
|
Join Date: Jun 2007
Posts: 118
|
|
That virtualhost got the same rules that has been set in php.ini
This result created by c99 itself :
Server security information:Open base dir: /home:/tmp
Get /etc/passwd
it means open_basedir is currently working on this site but passwd could be read by fopen()
|
| Thread Tools |
Search this Thread |
|
|
|
| Display Modes |
 Linear Mode
|
| Postbit Selector |
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
|
|
|
| Login: |
|
|
| Advertisement: |
|
|
| Web Hosting News: |
|
|
|
