PHP :: Bug #6496 :: The file upload feature opens a possible security hole

Bug #6496	The file upload feature opens a possible security hole
Submitted:	2000-09-01 20:38 UTC	Modified:	2000-10-06 19:15 UTC
From:	luci at conexim dot com dot au	Assigned:
Status:	Closed	Package:	*General Issues
PHP Version:	4.0.2	OS:	Linux
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

[2000-09-01 20:38 UTC] luci at conexim dot com dot au

Public internet users can potentially read files residing on the webserver through existing php code using the file upload feature.

If there is a <FORM> with a "FILE" input field called "uploadedfile" for example, followed by another form field with the same name "uploadedfile" which has the value of the path of a file on the webserver ("/etc/passwd") works fine in many cases, then the code handling the uploaded file will process the file pointed by the path given by the second form element, not the file actually uploaded. If the code is meant to display the uploaded file, or save it under a public URL, then the public users can see its contents.

There is a permission issue, as far as the ownership of the webserver process. But most setups use nobody, or another use/group which can read certain files on the webserver.

I have not tested to see if the file gets deleted at the termination of the script as the temporary files do.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2000-09-04 02:54 UTC] rasmus@php.net

A fix is in CVS which addresses this.  And, no, the faked file would not get deleted.

There is a second issue here related to scripts expecting a file upload being fed a form without a file upload field at all.  This is more of a documentation and user education issue though.  We will get some better code examples and data validation routines put up shortly.  The general advice is the same as always.  Never trust user-supplied data and check any such data before using it.

[2000-09-04 05:55 UTC] stas@php.net

Since we don't have a fix for a "fake upload" yet, as I understand, and since recent patch breaks innocent variables happening to start with same prefix as some file upload, and since no docs still exist - I guess it would be a good thing to reponen this report until we have a full fix and docs.

[2000-10-06 19:15 UTC] sniper@php.net

As those docs now exists I believe this can be closed.

--Jani

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sun May 19 02:01:35 2024 UTC