ID: 16128
Updated by: [EMAIL PROTECTED]
Reported By: [EMAIL PROTECTED]
Status: Closed
Bug Type: *General Issues
Operating System: Linux 2.4.13
PHP Version: 4.1.2
New Comment:
I applied the patch from CVS (The CVS itself fucked up almost all my
hosted sites), so I added :
if (php_check_open_basedir(Z_STRVAL_PP(new_path) TSRMLS_CC)) {
RETURN_FALSE; }
on row 2473 in ./ext/standard/basic_functions.c
I have disabled the open_basedir restriction for root.net-force.nl and
I was able to upload to any directory that apache has write access
too.
However, this could also be by design. Because without open_basedir PHP
is not limited to a certain directory. And therefore PHP should indeed
be able to write to any directory where PHP has write access.
Or perhaps this is not wat wouter means :) If thats the case, sorry to
bug you ;)
Previous Comments:
------------------------------------------------------------------------
[2002-03-18 14:20:46] [EMAIL PROTECTED]
I advise you to test the CVS version before claiming this.
------------------------------------------------------------------------
[2002-03-18 14:18:10] [EMAIL PROTECTED]
In CVS it's fixed _if_ you use open_basedir. But if you don't, the
php_checkuid fails to do it's work...
------------------------------------------------------------------------
[2002-03-17 16:03:34] [EMAIL PROTECTED]
This bug has been fixed in CVS.
------------------------------------------------------------------------
[2002-03-17 15:21:37] [EMAIL PROTECTED]
The script in this example is a bit crippled due to wordwrapping. Here
is the original script:
http://root.net-force.nl/prog.txt
------------------------------------------------------------------------
[2002-03-17 15:05:11] [EMAIL PROTECTED]
One of my customers has found a way to break my safe_mode and
open_basedir restrictions. (www.net-force.nl)
He created the following script:
<?
$file = $HTTP_POST_FILES['file']['name'];
$type = $HTTP_POST_FILES['file']['type'];
$size = $HTTP_POST_FILES['file']['size'];
$temp = $HTTP_POST_FILES['file']['tmp_name'];
$size_limit = "100000"; // set size limit in bytes
if ($file){
if ($size < $size_limit){
move_uploaded_file($temp,
"/domains/killanet.org/public_html/www/test/".$file);
echo "The file <tt>$file</tt> was sucessfully
uploaded";
} else {
echo "Sorry, your file exceeds the size limit of $size_limit
bytes";
}}
echo "
<form enctype='multipart/form-data' action=$PHP_SELF method=post>
Upload a file: <input name='file' type='file'>
<input type='submit' value='Upload'>
</form>
";
?>
As you can see, he moved the uploaded file to:
"/domains/killanet.org/public_html/www/test/"
Which should be impossible, because my httpd.conf says:
<VirtualHost 213.206.77.232>
DocumentRoot /domains/net-force.nl/public_html/root/
ServerName root.net-force.nl
CustomLog /domains/net-force.nl/logs/access_log combined
ErrorLog /domains/net-force.nl/logs/error_log
php_admin_value safe_mode 1
php_admin_value open_basedir /domains/net
force.nl/public_html/root/
</VirtualHost>
As you can see I have both set safe_mode and the open_basedir
restriction but this user is able to upload any file where the apache
user has write access.
Credits fly out to [EMAIL PROTECTED] for finding this bug.
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=16128&edit=1
