[16560] in bugtraq
Re: (SRADV00001) Arbitrary file disclosure through PHP file upload
daemon@ATHENA.MIT.EDU (Brian Smith)
Mon Sep 4 22:45:31 2000
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.LNX.3.96.1000904134913.25398B-100000@camelot.arthurian.nu>
Date: Mon, 4 Sep 2000 13:54:55 -0400
Reply-To: avalon73@earthling.net
From: Brian Smith <avalon73@ARTHURIAN.NU>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <003201c015b0$ebabb4e0$6d32a4cb@rivrw1.nsw.optushome.com.au>
A couple things I see with this:
1) Wouldn't the same problem also exist if you turned register_globals off
and used the HTTP request value arrays?
2) It's not always a problem... it all depends on what you do with the
uploaded file. I recently did a file upload form that merely emails
the file as an attachment to a fixed address (for manual processing
later)... nobody trying to exploit the script in the way that you're
suggesting can get anything out of the script that way.
----------------------------------------------------------------------
Brian Smith // avalon73@earthling.net // http://www.arthurian.nu/
Software Developer // Gamer // Webmaster // System Administrator
Echelon Teasers: NSA CIA FBI Mossad MI5 Cocaine Cuba Revolution Espionage
