Home page logo

bugtraq logo Bugtraq mailing list archives

Re: [PHP-DEV] RE: (SRADV00001) Arbitrary file disclosure through PHP file upload
From: Zeev Suraski <zeev () zend com>
Date: Tue, 5 Sep 2000 01:35:03 +0300

The initial fix published earlier did NOT fix the vulnerability that was
discovered, and could also cause crashes under certain circumstances.  It
could also cause some applications to fail, due to a side effect that
prevents certain valid form variables from being processed correctly.

The correct, tested fixed file (without any side effects) is available at


The diff against version 4.0.2 is available at:


It is also attached to this message.

Thanks to James Moore for helping me test this fix.


Attachment: rfc1867.c.diff

Zeev Suraski   <zeev () zend com>

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]