Bug #15928 Updated: move_uploaded_file() is unsafe running in safe-mode

[derick]

 ID:               15928
 Updated by:       [EMAIL PROTECTED]
 Reported By:      [EMAIL PROTECTED]
-Status:           Closed
+Status:           Feedback
 Bug Type:         PHP options/info functions
 Operating System: AIX
 PHP Version:      4.1.2
 New Comment:

I think Sander meant it's fixed in CVS. Can you try a snapshot from
snaps.php.net, or wait for 4.2.0RC1, which will be rolled tomorrow?

Derick


Previous Comments:
------------------------------------------------------------------------

[2002-03-19 03:04:45] [EMAIL PROTECTED]

Sorry, but in fact the bug still persists in php 4.1.2
a php script owned by uid=xxx is able to upload
files to a directory owned by uid=yyy in safe_mode.
Please reopen this bug.

------------------------------------------------------------------------

[2002-03-17 12:35:33] [EMAIL PROTECTED]

This is already implemented.

------------------------------------------------------------------------

[2002-03-07 06:15:09] [EMAIL PROTECTED]

Security issue in move_uploaded_file() while in safe-mode

We have different web-sites running on our server. Each of them
may prepare a directory in which files may be written using php-upload
and move_uploaded_file(). Our webserver runs with
safe-mode-restriction.

The documentations says, as mentioned, that this is not unsafe.

Note: move_uploaded_file() is not affected by the normal
                       safe-mode UID-restrictions. This is not unsafe
because
                       move_uploaded_file() only operates on files
uploaded via PHP. 

In fact, it is. If I know a directory of another website which
allows to upload files via php, I'll be able to write a file to this
location,
offering an upload-script on my website. I could on this way put
offending files in someone elses website, who probably protectet his
php-upload-script with .htaccess.

I would suggest that move_uploaded_file() should be modified that
way, that files may only be moved to directories whose owner is the
same as the upload-script while safe-mode restriction applies. 
This approach would guarantee that nobody else as the people who 
offers an upload-script will be able to put files in the owners
webspace. 

After such a modification move_uploaded_file() will be really safe. At
present, it's not. It allows to skip safe-mode-restriction.

Kind regards and thanks for any feedback

Roberto

------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=15928&edit=1