[16554] in bugtraq
Re: (SRADV00001) Arbitrary file disclosure through PHP file upload
daemon@ATHENA.MIT.EDU (Mads Bach)
Mon Sep 4 21:43:51 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <39B326C5.7D945111@inder.net>
Date: Mon, 4 Sep 2000 06:36:53 +0200
Reply-To: Mads Bach <bach@INDER.NET>
From: Mads Bach <bach@INDER.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
Secure Reality Advisories wrote:
> Back to the issue at hand. Using the fact mentioned above, we can create the
> four variables $hell, $hello_name, $hello_type, $hello_size ourselves using
> form input like the following
> <INPUT TYPE="hidden" NAME="hello" VALUE="/etc/passwd">
> <INPUT TYPE="hidden" NAME="hello_name" VALUE="c:\scary.txt">
> <INPUT TYPE="hidden" NAME="hello_type" VALUE="text/plain">
> <INPUT TYPE="hidden" NAME="hello_size" VALUE="2000">
>
> This should lead the PHP script working on the passwd file, usually
> resulting in it being disclosed to the attacker.
>
> [Fix]
> Unfortunately, I believe this style of problem to be impossible to fix with
> the default behaviour/configuration of PHP, I'll be demonstrating this with
> several adviories in the next few weeks.
One simple fix (which I would recommend to all developers working in PHP) is
to check the filename ("hello" in the example above), and make sure that it
is in fact located in the temp directory. This way, nothing vital should be
available to the attacker.
Regards,
Mads Bach
--
"Honestly, OS/2 with EMX is closer to Unix than AIX is."
- Brandon S. Allbery in Scary Devil Monastery
