Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: [PHP-DEV] RE: (SRADV00001) Arbitrary file disclosure through PHP file upload
From: Zeev Suraski <zeev () zend com>
Date: Tue, 5 Sep 2000 01:35:03 +0300

The initial fix published earlier did NOT fix the vulnerability that was
discovered, and could also cause crashes under certain circumstances.  It
could also cause some applications to fail, due to a side effect that
prevents certain valid form variables from being processed correctly.

The correct, tested fixed file (without any side effects) is available at

http://cvsweb.php.net/viewcvs.cgi/~checkout~/php4/main/rfc1867.c?rev=1.45&content-type=text/plain

The diff against version 4.0.2 is available at:

http://cvsweb.php.net/viewcvs.cgi/php4/main/rfc1867.c.diff?r1=1.38%3Aphp_4_0_2&tr1=1.1&r2=text&tr2=1.45&diff_format=u

It is also attached to this message.

Thanks to James Moore for helping me test this fix.

Zeev

Attachment: rfc1867.c.diff
Description:

--
Zeev Suraski   <zeev () zend com>
http://www.zend.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]