php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #6496 The file upload feature opens a possible security hole
Submitted: 2000-09-01 20:38 UTC Modified: 2000-10-06 19:15 UTC
From: luci at conexim dot com dot au Assigned:
Status: Closed Package: *General Issues
PHP Version: 4.0.2 OS: Linux
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: luci at conexim dot com dot au
New email:
PHP Version: OS:

 

 [2000-09-01 20:38 UTC] luci at conexim dot com dot au 
Public internet users can potentially read files residing on the webserver through existing php code using the file upload feature.

If there is a <FORM> with a "FILE" input field called "uploadedfile" for example, followed by another form field with the same name "uploadedfile" which has the value of the path of a file on the webserver ("/etc/passwd") works fine in many cases, then the code handling the uploaded file will process the file pointed by the path given by the second form element, not the file actually uploaded. If the code is meant to display the uploaded file, or save it under a public URL, then the public users can see its contents.

There is a permission issue, as far as the ownership of the webserver process. But most setups use nobody, or another use/group which can read certain files on the webserver.

I have not tested to see if the file gets deleted at the termination of the script as the temporary files do.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2000-09-04 02:54 UTC] rasmus@php.net 
A fix is in CVS which addresses this.  And, no, the faked file would not get deleted.

There is a second issue here related to scripts expecting a file upload being fed a form without a file upload field at all.  This is more of a documentation and user education issue though.  We will get some better code examples and data validation routines put up shortly.  The general advice is the same as always.  Never trust user-supplied data and check any such data before using it.
 [2000-09-04 05:55 UTC] stas@php.net 
Since we don't have a fix for a "fake upload" yet, as I understand, and since recent patch breaks innocent variables happening to start with same prefix as some file upload, and since no docs still exist - I guess it would be a good thing to reponen this report until we have a full fix and docs.
 [2000-10-06 19:15 UTC] sniper@php.net 
As those docs now exists I believe this can be closed.

--Jani
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Sat Nov 01 18:00:01 2025 UTC