PHP :: Bug #16128 :: move_uploaded_file breaks safe_mode and open

Bug #16128

move_uploaded_file breaks safe_mode and open_basedir restrictions

Submitted:

2002-03-17 15:05 UTC

Modified:

2005-01-31 23:00 UTC

Votes:	3
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 2 (50.0%)
Same Version:	1 (100.0%)
Same OS:	1 (100.0%)

From:

tozz at embrace dot selwerd dot nl

Assigned:

Status:

Closed

Package:

Safe Mode/open_basedir

PHP Version:

4.1.2

OS:

Linux 2.4.13

Private report:

CVE-ID:

None

View Developer Edit

[2002-03-17 15:05 UTC] tozz at embrace dot selwerd dot nl

One of my customers has found a way to break my safe_mode and open_basedir restrictions. (www.net-force.nl)

He created the following script:
<?
 
$file = $HTTP_POST_FILES['file']['name'];
$type = $HTTP_POST_FILES['file']['type']; 
$size = $HTTP_POST_FILES['file']['size']; 
$temp = $HTTP_POST_FILES['file']['tmp_name'];

$size_limit = "100000"; // set size limit in bytes

if ($file){
if ($size < $size_limit){

move_uploaded_file($temp, "/domains/killanet.org/public_html/www/test/".$file);
echo "The file <tt>$file</tt> was sucessfully
uploaded"; 
} else {
echo "Sorry, your file exceeds the size limit of $size_limit
bytes";
}}

echo "
<form enctype='multipart/form-data' action=$PHP_SELF method=post>
Upload a file: <input name='file' type='file'>
<input type='submit' value='Upload'>
</form>
";
?>

As you can see, he moved the uploaded file to:
"/domains/killanet.org/public_html/www/test/"

Which should be impossible, because my httpd.conf says:

<VirtualHost 213.206.77.232>
        DocumentRoot /domains/net-force.nl/public_html/root/
        ServerName root.net-force.nl
        CustomLog /domains/net-force.nl/logs/access_log combined
        ErrorLog /domains/net-force.nl/logs/error_log
        php_admin_value safe_mode 1
        php_admin_value open_basedir /domains/net force.nl/public_html/root/
</VirtualHost>

As you can see I have both set safe_mode and the open_basedir restriction but this user is able to upload any file where the apache user has write access.

Credits fly out to bastijs@net-force.nl for finding this bug.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2002-03-17 15:21 UTC] tozz at embrace dot selwerd dot nl

The script in this example is a bit crippled due to wordwrapping. Here is the original script:

http://root.net-force.nl/prog.txt

[2002-03-17 16:03 UTC] sesser@php.net

This bug has been fixed in CVS.

[2002-03-18 14:18 UTC] wouter at widexs dot nl

In CVS it's fixed _if_ you use open_basedir. But if you don't, the php_checkuid fails to do it's work...

[2002-03-18 14:20 UTC] sesser@php.net

I advise you to test the CVS version before claiming this.

[2002-03-18 17:24 UTC] tozz at embrace dot selwerd dot nl

I applied the patch from CVS (The CVS itself fucked up almost all my hosted sites), so I added :

if (php_check_open_basedir(Z_STRVAL_PP(new_path) TSRMLS_CC)) { RETURN_FALSE; } 

on row 2473 in ./ext/standard/basic_functions.c

I have disabled the open_basedir restriction for root.net-force.nl and I was able to upload to any directory that apache has write access too.

However, this could also be by design. Because without open_basedir PHP is not limited to a certain directory. And therefore PHP should indeed be able to write to any directory where PHP has write access. 

Or perhaps this is not wat wouter means :) If thats the case, sorry to bug you ;)

[2002-03-18 19:21 UTC] sesser@php.net

there was a typo in main/safe_mode.c, that was fixed some days ago. This typo is responsible for checkuid failing. You must apply this fix, too.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Mon Mar 31 13:01:29 2025 UTC