ID: 28456
User updated by: overflow at neuf dot fr
Reported By: overflow at neuf dot fr
-Status: Open
+Status: Bogus
Bug Type: Unknown/Other Function
PHP Version: 4.3.4
New Comment:
$_FILES['userfile']['type'] can be fake by the client with raw http :
Content-Type: text/plain
Previous Comments:
------------------------------------------------------------------------
[2004-05-20 17:49:38] mail at young dot org dot ua
Oh, yes.
I have try to analyze this question, and got following result:
If Post data looks like this:
Content-Disposition: form-data; name="userfile";
filename="../test.html"
Variable $_FILES['userfile']['name'] initializes with value
"../test.html"
And one more example code taken from PHP manual:
--------
$uploaddir = '/var/www/uploads/';
$uploadfile = $uploaddir . $_FILES['userfile']['name'];
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile))
{
--------
Trying to copy file into '/var/www/uploads/../test.html
And in opinien this situation potential dangerous.
------------------------------------------------------------------------
[2004-05-20 17:03:17] overflow at neuf dot fr
Description:
------------
upload php vulnerability for $_FILES['userfile']['name'] can contain
string "../" if the name start with a "." with a fake raw http :
Content-Disposition: form-data; name="userfile";
filename="../../../test.html"
Reproduce code:
---------------
http://slythers.tcpteam.org/uploadphpvuln.txt
Expected result:
----------------
security vulnerability in upload script
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=28456&edit=1
