[24788] in bugtraq
Re: move_uploaded_file breaks safe_mode restrictions in PHP
daemon@ATHENA.MIT.EDU (Patrick Oonk)
Thu Mar 21 19:15:22 2002
Date: Thu, 21 Mar 2002 16:23:12 +0100
From: Patrick Oonk <patrick@pine.nl>
To: sesser@php.net
Cc: bugtraq@securityfocus.com
Message-ID: <20020321152312.GJ13467@pine.nl>
Reply-To: patrick@pine.nl
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20020321095518.GA30983@php.net>
On Thu, Mar 21, 2002 at 10:55:18AM +0100, sesser@php.net wrote:
> Hi,
>
> first of all i want to clearify, that move_uploaded_file isn't breaking
> safe_mode restrictions. move_uploaded_file lacked an openbasedir check.
> That feature was added on the request of tozz. move_uploaded_file was
> able to move files to directories writeable for the apache user because
> of some other bug (, that was fixed several days before the bugreport)
> that was not within move_uploaded_file but in some other place.
>
> Beside that: maybe you can tell me where the apache user has write
> access to (beside /tmp) on a properly configured system?
> This bug only allows to create new files, it is not possible to
> write to already existing files. So the whole "security" impact on
> a properly configured system is in my eyes that a customer is able
> to fill the harddisk.
>
>
> Stefan Esser
>
/usr/local/apache/proxy on a default apache install.
p
--
patrick oonk - pine internet - patrick@pine.nl - www.pine.nl/~patrick
T:+31-70-3111010 - F:+31-70-3111011 - Read news at http://security.nl
PGPid A4E74BBF fp A7CF 7611 E8C4 7B79 CA36 0BFD 2CB4 7283 A4E7 4BBF
Note: my NEW PGP key is available at http://www.pine.nl/~patrick/
Excuse of the day: bad ether in the cables
