Home page logo

bugtraq logo Bugtraq mailing list archives

Re: (SRADV00001) Arbitrary file disclosure through PHP file upload
From: Mads Bach <bach () INDER NET>
Date: Mon, 4 Sep 2000 06:36:53 +0200

Secure Reality Advisories wrote:

Back to the issue at hand. Using the fact mentioned above, we can create the
four variables $hell, $hello_name, $hello_type, $hello_size ourselves using
form input like the following
 <INPUT TYPE="hidden" NAME="hello" VALUE="/etc/passwd">
 <INPUT TYPE="hidden" NAME="hello_name" VALUE="c:\scary.txt">
 <INPUT TYPE="hidden" NAME="hello_type" VALUE="text/plain">
 <INPUT TYPE="hidden" NAME="hello_size" VALUE="2000">

This should lead the PHP script working on the passwd file, usually
resulting in it being disclosed to the attacker.

Unfortunately, I believe this style of problem to be impossible to fix with
the default behaviour/configuration of PHP, I'll be demonstrating this with
several adviories in the next few weeks.

One simple fix (which I would recommend to all developers working in PHP) is
to check the filename ("hello" in the example above), and make sure that it
is in fact located in the temp directory. This way, nothing vital should be
available to the attacker.

Mads Bach
"Honestly, OS/2 with EMX is closer to Unix than AIX is."
- Brandon S. Allbery in Scary Devil Monastery

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]