Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: [PHP-DEV] RE: (SRADV00001) Arbitrary file disclosure through PHP file upload
From: Rasmus Lerdorf <rasmus () linuxcare com>
Date: Sun, 3 Sep 2000 23:50:15 -0700

The fix for this particular variation of the exploit is already in CVS and
is included below.  Note that this has nothing to do with track_vars nor
with register_globals despite what the bugtraq posting said.  And your
user-level data validation solution is pretty good.  An attacker would
have to know the exact size of a file on your system in order to get at
it.  Chances are that if the exact size is already know, the contents will
be as well.


Index: php4/main/rfc1867.c
diff -u php4/main/rfc1867.c:1.38 php4/main/rfc1867.c:1.39
--- php4/main/rfc1867.c:1.38    Sat Aug  5 23:40:28 2000
+++ php4/main/rfc1867.c Sun Sep  3 22:09:46 2000
@@ -15,7 +15,7 @@
    | Authors: Rasmus Lerdorf <rasmus () php net>                             |
    +----------------------------------------------------------------------+
  */
-/* $Id: rfc1867.c,v 1.38 2000/08/06 06:40:28 rasmus Exp $ */
+/* $Id: rfc1867.c,v 1.39 2000/09/04 05:09:46 rasmus Exp $ */

 #include <stdio.h>
 #include "php.h"
@@ -64,7 +64,7 @@
        int eolsize;
        long bytes, max_file_size = 0;
        char *namebuf=NULL, *filenamebuf=NULL, *lbuf=NULL,
-                *abuf=NULL, *start_arr=NULL, *end_arr=NULL, *arr_index=NULL;
+                *abuf=NULL, *start_arr=NULL, *end_arr=NULL, *arr_index=NULL, *sbuf=NULL;
        FILE *fp;
        int itype, is_arr_upload=0, arr_len=0;
        zval *http_post_files=NULL;
@@ -172,8 +172,10 @@
                                                }
                                                abuf = estrndup(namebuf, strlen(namebuf)-arr_len);
                                                sprintf(lbuf, "%s_name[%s]", abuf, arr_index);
+                                               sbuf = estrdup(abuf);
                                        } else {
                                                sprintf(lbuf, "%s_name", namebuf);
+                                               sbuf = estrdup(abuf);
                                        }
                                        s = strrchr(filenamebuf, '\\');
                                        if (s && s > filenamebuf) {
@@ -252,7 +254,11 @@
                                }
                                *(loc - 4) = '\0';

-                               php_register_variable(namebuf, ptr, array_ptr ELS_CC PLS_CC);
+                               /* Check to make sure we are not overwriting special file
+                                * upload variables */
+                               if(memcmp(namebuf,sbuf,strlen(sbuf))) {
+                                       php_register_variable(namebuf, ptr, array_ptr ELS_CC PLS_CC);
+                               }

                                /* And a little kludge to pick out special
                                 * MAX_FILE_SIZE */
                                itype = php_check_ident_type(namebuf);
@@ -353,6 +359,7 @@
                                break;
                }
        }
+       if(sbuf) efree(sbuf);
        SAFE_RETURN;
 }


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault