From: overflow at neuf dot fr Operating system: PHP version: 4.3.4 PHP Bug Type: Unknown/Other Function Bug description: upload php vulnerability
Description: ------------ upload php vulnerability for $_FILES['userfile']['name'] can contain string "../" if the name start with a "." with a fake raw http : Content-Disposition: form-data; name="userfile"; filename="../../../test.html" Reproduce code: --------------- http://slythers.tcpteam.org/uploadphpvuln.txt Expected result: ---------------- security vulnerability in upload script -- Edit bug report at http://bugs.php.net/?id=28456&edit=1 -- Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=28456&r=trysnapshot4 Try a CVS snapshot (php5): http://bugs.php.net/fix.php?id=28456&r=trysnapshot5 Fixed in CVS: http://bugs.php.net/fix.php?id=28456&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=28456&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=28456&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=28456&r=needscript Try newer version: http://bugs.php.net/fix.php?id=28456&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=28456&r=support Expected behavior: http://bugs.php.net/fix.php?id=28456&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=28456&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=28456&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=28456&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=28456&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=28456&r=dst IIS Stability: http://bugs.php.net/fix.php?id=28456&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=28456&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=28456&r=float
