Bugtraq mailing list archives
Re: [PHP-DEV] RE: (SRADV00001) Arbitrary file disclosure through PHP file upload
From: Rasmus Lerdorf <rasmus () linuxcare com>
Date: Sun, 3 Sep 2000 23:50:15 -0700
The fix for this particular variation of the exploit is already in CVS and is included below. Note that this has nothing to do with track_vars nor with register_globals despite what the bugtraq posting said. And your user-level data validation solution is pretty good. An attacker would have to know the exact size of a file on your system in order to get at it. Chances are that if the exact size is already know, the contents will be as well. Index: php4/main/rfc1867.c diff -u php4/main/rfc1867.c:1.38 php4/main/rfc1867.c:1.39 --- php4/main/rfc1867.c:1.38 Sat Aug 5 23:40:28 2000 +++ php4/main/rfc1867.c Sun Sep 3 22:09:46 2000 @@ -15,7 +15,7 @@ | Authors: Rasmus Lerdorf <rasmus () php net> | +----------------------------------------------------------------------+ */ -/* $Id: rfc1867.c,v 1.38 2000/08/06 06:40:28 rasmus Exp $ */ +/* $Id: rfc1867.c,v 1.39 2000/09/04 05:09:46 rasmus Exp $ */ #include <stdio.h> #include "php.h" @@ -64,7 +64,7 @@ int eolsize; long bytes, max_file_size = 0; char *namebuf=NULL, *filenamebuf=NULL, *lbuf=NULL, - *abuf=NULL, *start_arr=NULL, *end_arr=NULL, *arr_index=NULL; + *abuf=NULL, *start_arr=NULL, *end_arr=NULL, *arr_index=NULL, *sbuf=NULL; FILE *fp; int itype, is_arr_upload=0, arr_len=0; zval *http_post_files=NULL; @@ -172,8 +172,10 @@ } abuf = estrndup(namebuf, strlen(namebuf)-arr_len); sprintf(lbuf, "%s_name[%s]", abuf, arr_index); + sbuf = estrdup(abuf); } else { sprintf(lbuf, "%s_name", namebuf); + sbuf = estrdup(abuf); } s = strrchr(filenamebuf, '\\'); if (s && s > filenamebuf) { @@ -252,7 +254,11 @@ } *(loc - 4) = '\0'; - php_register_variable(namebuf, ptr, array_ptr ELS_CC PLS_CC); + /* Check to make sure we are not overwriting special file + * upload variables */ + if(memcmp(namebuf,sbuf,strlen(sbuf))) { + php_register_variable(namebuf, ptr, array_ptr ELS_CC PLS_CC); + } /* And a little kludge to pick out special * MAX_FILE_SIZE */ itype = php_check_ident_type(namebuf); @@ -353,6 +359,7 @@ break; } } + if(sbuf) efree(sbuf); SAFE_RETURN; }
Current thread:
- (SRADV00001) Arbitrary file disclosure through PHP file upload Secure Reality Advisories (Sep 03)
- Re: (SRADV00001) Arbitrary file disclosure through PHP file upload Signal 11 (Sep 04)
- Re: [PHP-DEV] RE: (SRADV00001) Arbitrary file disclosure through PHP file upload Rasmus Lerdorf (Sep 04)
- Re: [PHP-DEV] RE: (SRADV00001) Arbitrary file disclosure through PHP file upload Zeev Suraski (Sep 04)
- Message not available
- Re: [PHP-DEV] RE: (SRADV00001) Arbitrary file disclosure throughPHP file upload Zeev Suraski (Sep 04)
- Re: [PHP-DEV] RE: (SRADV00001) Arbitrary file disclosure through PHP file upload Rasmus Lerdorf (Sep 04)
- Re: (SRADV00001) Arbitrary file disclosure through PHP file upload Signal 11 (Sep 04)