If you use the documented mechanism for handling file uploads, then there
is no such security problem. See
http://www.php.net/manual/en/features.file-upload.php
ie. use the move_uploaded_file() function.
-Rasmus
On Thu, 12 Jul 2001, Toby Goldstone wrote:
> Hi.
>
> I've (or rather the company I work for) recently transferred to a new new
> PHP host (www.hotchilli.com). All is fine, but they do not allow file
> uploads via a form, stating the following security risk:
>
> Arbitrary file disclosure through PHP file upload
> http://www.net-security.org/text/bugs/968074710,61298,.shtml
>
> The following, posted by Zeev, would seem to suggest that the above has been
> solved some time ago:
>
> http://www.securityfocus.com/templates/archive.pike?list=1&mid=80197
>
> Hotchilli also state that 'we have been advised in addition to this by the
> developers of PHP who we work with quite closely to disable the function on
> 'all' shared servers.'
>
> So. Could someone please tell me if this bug has been solved and if so, in
> what version?
>
> Cheers,
>
> -Toby Goldstone / [EMAIL PROTECTED]
>
>
>
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
