php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #16128 move_uploaded_file breaks safe_mode and open_basedir restrictions
Submitted: 2002-03-17 15:05 UTC Modified: 2005-01-31 23:00 UTC
Votes:3
Avg. Score:5.0 ± 0.0
Reproduced:1 of 2 (50.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: tozz at embrace dot selwerd dot nl Assigned:
Status: Closed Package: Safe Mode/open_basedir
PHP Version: 4.1.2 OS: Linux 2.4.13
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: tozz at embrace dot selwerd dot nl
New email:
PHP Version: OS:

 

 [2002-03-17 15:05 UTC] tozz at embrace dot selwerd dot nl 
One of my customers has found a way to break my safe_mode and open_basedir restrictions. (www.net-force.nl)

He created the following script:
<?
 
$file = $HTTP_POST_FILES['file']['name'];
$type = $HTTP_POST_FILES['file']['type']; 
$size = $HTTP_POST_FILES['file']['size']; 
$temp = $HTTP_POST_FILES['file']['tmp_name'];

$size_limit = "100000"; // set size limit in bytes

if ($file){
if ($size < $size_limit){

move_uploaded_file($temp, "/domains/killanet.org/public_html/www/test/".$file);
echo "The file <tt>$file</tt> was sucessfully
uploaded"; 
} else {
echo "Sorry, your file exceeds the size limit of $size_limit
bytes";
}}

echo "
<form enctype='multipart/form-data' action=$PHP_SELF method=post>
Upload a file: <input name='file' type='file'>
<input type='submit' value='Upload'>
</form>
";
?>

As you can see, he moved the uploaded file to:
"/domains/killanet.org/public_html/www/test/"

Which should be impossible, because my httpd.conf says:

<VirtualHost 213.206.77.232>
        DocumentRoot /domains/net-force.nl/public_html/root/
        ServerName root.net-force.nl
        CustomLog /domains/net-force.nl/logs/access_log combined
        ErrorLog /domains/net-force.nl/logs/error_log
        php_admin_value safe_mode 1
        php_admin_value open_basedir /domains/net force.nl/public_html/root/
</VirtualHost>

As you can see I have both set safe_mode and the open_basedir restriction but this user is able to upload any file where the apache user has write access.

Credits fly out to bastijs@net-force.nl for finding this bug.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-03-17 15:21 UTC] tozz at embrace dot selwerd dot nl 
The script in this example is a bit crippled due to wordwrapping. Here is the original script:

http://root.net-force.nl/prog.txt
 [2002-03-17 16:03 UTC] sesser@php.net 
This bug has been fixed in CVS.
 [2002-03-18 14:18 UTC] wouter at widexs dot nl 
In CVS it's fixed _if_ you use open_basedir. But if you don't, the php_checkuid fails to do it's work...
 [2002-03-18 14:20 UTC] sesser@php.net 
I advise you to test the CVS version before claiming this.
 [2002-03-18 17:24 UTC] tozz at embrace dot selwerd dot nl 
I applied the patch from CVS (The CVS itself fucked up almost all my hosted sites), so I added :

if (php_check_open_basedir(Z_STRVAL_PP(new_path) TSRMLS_CC)) { RETURN_FALSE; } 

on row 2473 in ./ext/standard/basic_functions.c

I have disabled the open_basedir restriction for root.net-force.nl and I was able to upload to any directory that apache has write access too.

However, this could also be by design. Because without open_basedir PHP is not limited to a certain directory. And therefore PHP should indeed be able to write to any directory where PHP has write access. 

Or perhaps this is not wat wouter means :) If thats the case, sorry to bug you ;)
 [2002-03-18 19:21 UTC] sesser@php.net 
there was a typo in main/safe_mode.c, that was fixed some days ago. This typo is responsible for checkuid failing. You must apply this fix, too.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 23:01:29 2024 UTC