If you use the documented mechanism for handling file uploads, then there
is no such security problem.  See

ie. use the move_uploaded_file() function.


On Thu, 12 Jul 2001, Toby Goldstone wrote:

> Hi.
> I've (or rather the company I work for) recently transferred to a new new
> PHP host (www.hotchilli.com). All is fine, but they do not allow file
> uploads via a form, stating the following security risk:
> Arbitrary file disclosure through PHP file upload
> http://www.net-security.org/text/bugs/968074710,61298,.shtml
> The following, posted by Zeev, would seem to suggest that the above has been
> solved some time ago:
> http://www.securityfocus.com/templates/archive.pike?list=1&mid=80197
> Hotchilli also state that 'we have been advised in addition to this by the
> developers of PHP who we work with quite closely to disable the function on
> 'all' shared servers.'
> So. Could someone please tell me if this bug has been solved and if so, in
> what version?
> Cheers,
> -Toby Goldstone / [EMAIL PROTECTED]

PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to