Bugtraq mailing list archives
Re: [PHP-DEV] RE: (SRADV00001) Arbitrary file disclosure through PHP file upload
From: Zeev Suraski <zeev () zend com>
Date: Tue, 5 Sep 2000 01:35:03 +0300
The initial fix published earlier did NOT fix the vulnerability that was discovered, and could also cause crashes under certain circumstances. It could also cause some applications to fail, due to a side effect that prevents certain valid form variables from being processed correctly. The correct, tested fixed file (without any side effects) is available at http://cvsweb.php.net/viewcvs.cgi/~checkout~/php4/main/rfc1867.c?rev=1.45&content-type=text/plain The diff against version 4.0.2 is available at: http://cvsweb.php.net/viewcvs.cgi/php4/main/rfc1867.c.diff?r1=1.38%3Aphp_4_0_2&tr1=1.1&r2=text&tr2=1.45&diff_format=u It is also attached to this message. Thanks to James Moore for helping me test this fix. Zeev
Attachment:
rfc1867.c.diff
Description:
-- Zeev Suraski <zeev () zend com> http://www.zend.com/
Current thread:
- (SRADV00001) Arbitrary file disclosure through PHP file upload Secure Reality Advisories (Sep 03)
- Re: (SRADV00001) Arbitrary file disclosure through PHP file upload Signal 11 (Sep 04)
- Re: [PHP-DEV] RE: (SRADV00001) Arbitrary file disclosure through PHP file upload Rasmus Lerdorf (Sep 04)
- Re: [PHP-DEV] RE: (SRADV00001) Arbitrary file disclosure through PHP file upload Zeev Suraski (Sep 04)
- Message not available
- Re: [PHP-DEV] RE: (SRADV00001) Arbitrary file disclosure throughPHP file upload Zeev Suraski (Sep 04)
- Re: [PHP-DEV] RE: (SRADV00001) Arbitrary file disclosure through PHP file upload Rasmus Lerdorf (Sep 04)
- Re: (SRADV00001) Arbitrary file disclosure through PHP file upload Signal 11 (Sep 04)