Blocking functions use in PHP not working...
I've disabled sensitive commands using the following line in php.ini
disable_functions = sytem, exec, shell_exec, passthru, popen, proc_open, proc_close
That way people can't do sensitive commands. However, it appears it works anyways...
<?php
echo getcwd();
system("cp -f /path/to/sensitive/info/file.txt /home/perpetrator/file.txt");
?>
Yes, I know I could chmod 700 the info that is sensitive, but for reasons we don't need to go into it just won't work like that.
---
Is there a syntax error in disable_functions that's getting it to be ignored on apache's restart? Why wouldn't this be blocked like it should?
Last edited by jon_k; 08-06-2004 at 05:38 PM.
|