Bugtraq mailing list archives
Re: (SRADV00001) Arbitrary file disclosure through PHP file upload
From: Mads Bach <bach () INDER NET>
Date: Mon, 4 Sep 2000 06:36:53 +0200
Secure Reality Advisories wrote:
Back to the issue at hand. Using the fact mentioned above, we can create the four variables $hell, $hello_name, $hello_type, $hello_size ourselves using form input like the following <INPUT TYPE="hidden" NAME="hello" VALUE="/etc/passwd"> <INPUT TYPE="hidden" NAME="hello_name" VALUE="c:\scary.txt"> <INPUT TYPE="hidden" NAME="hello_type" VALUE="text/plain"> <INPUT TYPE="hidden" NAME="hello_size" VALUE="2000"> This should lead the PHP script working on the passwd file, usually resulting in it being disclosed to the attacker. [Fix] Unfortunately, I believe this style of problem to be impossible to fix with the default behaviour/configuration of PHP, I'll be demonstrating this with several adviories in the next few weeks.
One simple fix (which I would recommend to all developers working in PHP) is to check the filename ("hello" in the example above), and make sure that it is in fact located in the temp directory. This way, nothing vital should be available to the attacker. Regards, Mads Bach -- "Honestly, OS/2 with EMX is closer to Unix than AIX is." - Brandon S. Allbery in Scary Devil Monastery
Current thread:
- (SRADV00001) Arbitrary file disclosure through PHP file upload Secure Reality Advisories (Sep 03)
- Re: (SRADV00001) Arbitrary file disclosure through PHP file upload Signal 11 (Sep 04)
- Re: [PHP-DEV] RE: (SRADV00001) Arbitrary file disclosure through PHP file upload Rasmus Lerdorf (Sep 04)
- Re: [PHP-DEV] RE: (SRADV00001) Arbitrary file disclosure through PHP file upload Zeev Suraski (Sep 04)
- Message not available
- Re: [PHP-DEV] RE: (SRADV00001) Arbitrary file disclosure throughPHP file upload Zeev Suraski (Sep 04)
- Re: [PHP-DEV] RE: (SRADV00001) Arbitrary file disclosure through PHP file upload Rasmus Lerdorf (Sep 04)
- Re: (SRADV00001) Arbitrary file disclosure through PHP file upload Signal 11 (Sep 04)