Re: (SRADV00001) Arbitrary file disclosure through PHP file upload

[Mads Bach <bach () INDER NET>]

Secure Reality Advisories wrote:

> Back to the issue at hand. Using the fact mentioned above, we can create the
> four variables $hell, $hello_name, $hello_type, $hello_size ourselves using
> form input like the following
>  <INPUT TYPE="hidden" NAME="hello" VALUE="/etc/passwd">
>  <INPUT TYPE="hidden" NAME="hello_name" VALUE="c:\scary.txt">
>  <INPUT TYPE="hidden" NAME="hello_type" VALUE="text/plain">
>  <INPUT TYPE="hidden" NAME="hello_size" VALUE="2000">
>
> This should lead the PHP script working on the passwd file, usually
> resulting in it being disclosed to the attacker.
>
> [Fix]
> Unfortunately, I believe this style of problem to be impossible to fix with
> the default behaviour/configuration of PHP, I'll be demonstrating this with
> several adviories in the next few weeks.

One simple fix (which I would recommend to all developers working in PHP) is
to check the filename ("hello" in the example above), and make sure that it
is in fact located in the temp directory. This way, nothing vital should be
available to the attacker.

Regards,
Mads Bach
--
"Honestly, OS/2 with EMX is closer to Unix than AIX is."
- Brandon S. Allbery in Scary Devil Monastery