Php in savemode

[planepix]

Php in safemode

Hi there,

I've got a little problem now. Just discovered that, when i turn off safemode, that i can just steal all file's from other accounts with file_get_contents()

So I turned it on for all accounts, but some site's use functions that are completly disabled in safemode.

Warning: set_time_limit(): Cannot set time limit in safe mode in /home/seper01357/domains/uploaddump.nl/public_html/index.php on line 11

One of them, so now there site's don't work correctly anymore, but I refuse to turn safemode off for as long as it's so unsave when turned on.

Someone got an other solution for this?


-sorry for my bad english.

 

[ballyn]

You can use open_basedir for this specific call, I believe, but this doesn't help for the system class of functions like exec(), passthru(), etc.

There's a ton of posts about this. Short answer, use safemode and limit the functionality for your users, use phpsuexec with a severe performance penalty and configuration headaches or use open_basedir and disable_functions for the specific functions that you're worried about, again limiting the functionality for your users.

Also note that even with these functions disabled, it's still trivial for users to get the contents of world-readable files if you have cgi enabled.

 

[jmstacey]

You can add an "@" to the beginning of the set_time_limit command so that the script doesn't fail there, however if the script needs more time that what's been defined in the php.ini you'll run into problems.

suPHP might also help with this.

Nothing will help if the files are world readable and writeable