FW: [PHP-DEV] FW: (SRADV00001) Arbitrary file disclosure throughPHP file upload

[Signal 11 <signal11 () MEDIAONE NET>]

Resending, last one bounced...

-----Original Message-----
From: Rasmus Lerdorf [mailto:rasmus () php net]
Sent: Monday, September 04, 2000 12:34 AM
To: Signal 11
Cc: php-dev () lists php net
Subject: Re: [PHP-DEV] FW: (SRADV00001) Arbitrary file disclosure
throughPHP file upload


> This just hit bugtraq. I'm formulating a reply presently, and will
> cc you in on it. I think the author may be getting ahead of himself.
> I still need to backpedal through the bug lists and see if this hasn't
> been logged before..

He is a little bit confused.  This has nothing to do with register_globals
and turning off register_globals does nothing to fix this issue.  I
committed a patch which fixes the problem, but we will probably refine it.

My suggestion is for people to simply check their $userfile_name variable
and make sure they are copying a file from their tmp directory and nowhere
else.  And of course, your web server user id should not have access to
sensitive files on your system anyway.

-Rasmus