[24772] in bugtraq
Re: move_uploaded_file breaks safe_mode restrictions in PHP
daemon@ATHENA.MIT.EDU (Jedi/Sector One)
Thu Mar 21 02:36:33 2002
Date: Wed, 20 Mar 2002 08:15:38 +0059
From: Jedi/Sector One <j@pureftpd.org>
To: Tozz <tozz@embrace.selwerd.nl>
Cc: bugtraq@securityfocus.com
Message-ID: <20020320071600.GB31366@c9x.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <001101c1ce02$6038b4b0$bd00a8c0@poesje>
On Sun, Mar 17, 2002 at 11:23:34PM +0100, Tozz wrote:
> Its possible to circumvent (probadly spelled wrong) PHP safe_mode
> restrictions by using move_uploaded_file.
It may be a bit early to post that on Bugtraq since no official patch has
been released yet.
> PHP.net is notified, and the bug has been fixed in CVS. However, I am unable
> to compile the CVS version atm. Gives alot of 'make' errors.
You can always try the current PHP audit project patch, that applies to a
vanilla PHP 4.1.2 release, and that includes a fix for that bug.
http://phpaudit.42-networks.com/
Best regards,
-Frank.
--
__ /*- Frank DENIS (Jedi/Sector One) <j@42-Networks.Com> -*\ __
\ '/ <a href="http://www.PureFTPd.Org/"> Secure FTP Server </a> \' /
\/ <a href="http://www.Jedi.Claranet.Fr/"> Misc. free software </a> \/
