php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #15928 move_uploaded_file() is unsafe running in safe-mode
Submitted: 2002-03-07 06:15 UTC Modified: 2002-03-19 03:18 UTC
From: webmaster at unizh dot ch Assigned:
Status: Closed Package: PHP options/info functions
PHP Version: 4.1.2 OS: AIX
Private report: No CVE-ID: None
 [2002-03-07 06:15 UTC] webmaster at unizh dot ch
Security issue in move_uploaded_file() while in safe-mode

We have different web-sites running on our server. Each of them
may prepare a directory in which files may be written using php-upload
and move_uploaded_file(). Our webserver runs with safe-mode-restriction.

The documentations says, as mentioned, that this is not unsafe.

Note: move_uploaded_file() is not affected by the normal
                       safe-mode UID-restrictions. This is not unsafe because
                       move_uploaded_file() only operates on files uploaded via PHP. 

In fact, it is. If I know a directory of another website which
allows to upload files via php, I'll be able to write a file to this location,
offering an upload-script on my website. I could on this way put
offending files in someone elses website, who probably protectet his
php-upload-script with .htaccess.

I would suggest that move_uploaded_file() should be modified that
way, that files may only be moved to directories whose owner is the
same as the upload-script while safe-mode restriction applies. 
This approach would guarantee that nobody else as the people who 
offers an upload-script will be able to put files in the owners webspace. 

After such a modification move_uploaded_file() will be really safe. At
present, it's not. It allows to skip safe-mode-restriction.

Kind regards and thanks for any feedback

Roberto

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-03-17 12:35 UTC] sander@php.net
This is already implemented.
 [2002-03-19 03:04 UTC] webmaster at unizh dot ch
Sorry, but in fact the bug still persists in php 4.1.2
a php script owned by uid=xxx is able to upload
files to a directory owned by uid=yyy in safe_mode.
Please reopen this bug.
 [2002-03-19 03:07 UTC] derick@php.net
I think Sander meant it's fixed in CVS. Can you try a snapshot from snaps.php.net, or wait for 4.2.0RC1, which will be rolled tomorrow?

Derick
 [2002-03-19 03:16 UTC] webmaster at unizh dot ch
Sorry, since we were running php 4.1.1 still yesterday
I was not aware that Sander meant that the bug was
fixed in CVS. Since you announced the new release
for tomorrow, I'll wait and try it out.

Thanks Roberto
 [2002-03-19 03:18 UTC] derick@php.net
I didn't say "release" but RC, which means "release candidate".

Derick
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Tue Dec 01 18:01:23 2020 UTC