ID: 28456 Updated by: [EMAIL PROTECTED] Reported By: overflow at neuf dot fr Status: Closed Bug Type: Unknown/Other Function PHP Version: 4.3.4 New Comment:
http://cvs.php.net/diff.php/php-src/main/rfc1867.c?r1=1.122.2.18&r2=1.122.2.19&ty=u http://cvs.php.net/diff.php/php-src/main/rfc1867.c?r1=1.155&r2=1.156&ty=u Previous Comments: ------------------------------------------------------------------------ [2004-09-21 09:06:01] NetVicious at gmail dot com Hi! toni2001 do could post the changes to the source code for manual patching ? ------------------------------------------------------------------------ [2004-05-21 10:25:12] [EMAIL PROTECTED] This bug has been fixed in CVS. Snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. Thank you for the report, and for helping us make PHP better. ------------------------------------------------------------------------ [2004-05-20 18:30:14] overflow at neuf dot fr $_FILES['userfile']['type'] can be fake by the client with raw http : Content-Type: text/plain ------------------------------------------------------------------------ [2004-05-20 17:49:38] mail at young dot org dot ua Oh, yes. I have try to analyze this question, and got following result: If Post data looks like this: Content-Disposition: form-data; name="userfile"; filename="../test.html" Variable $_FILES['userfile']['name'] initializes with value "../test.html" And one more example code taken from PHP manual: -------- $uploaddir = '/var/www/uploads/'; $uploadfile = $uploaddir . $_FILES['userfile']['name']; if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) { -------- Trying to copy file into '/var/www/uploads/../test.html And in opinien this situation potential dangerous. ------------------------------------------------------------------------ [2004-05-20 17:03:17] overflow at neuf dot fr Description: ------------ upload php vulnerability for $_FILES['userfile']['name'] can contain string "../" if the name start with a "." with a fake raw http : Content-Disposition: form-data; name="userfile"; filename="../../../test.html" Reproduce code: --------------- http://slythers.tcpteam.org/uploadphpvuln.txt Expected result: ---------------- security vulnerability in upload script ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=28456&edit=1