Bugtraq mailing list archives
Re: move_uploaded_file breaks safe_mode restrictions in PHP
From: Patrick Oonk <patrick () pine nl>
Date: Thu, 21 Mar 2002 16:23:12 +0100
On Thu, Mar 21, 2002 at 10:55:18AM +0100, sesser () php net wrote:
Hi, first of all i want to clearify, that move_uploaded_file isn't breaking safe_mode restrictions. move_uploaded_file lacked an openbasedir check. That feature was added on the request of tozz. move_uploaded_file was able to move files to directories writeable for the apache user because of some other bug (, that was fixed several days before the bugreport) that was not within move_uploaded_file but in some other place. Beside that: maybe you can tell me where the apache user has write access to (beside /tmp) on a properly configured system? This bug only allows to create new files, it is not possible to write to already existing files. So the whole "security" impact on a properly configured system is in my eyes that a customer is able to fill the harddisk. Stefan Esser
/usr/local/apache/proxy on a default apache install. p -- patrick oonk - pine internet - patrick () pine nl - www.pine.nl/~patrick T:+31-70-3111010 - F:+31-70-3111011 - Read news at http://security.nl PGPid A4E74BBF fp A7CF 7611 E8C4 7B79 CA36 0BFD 2CB4 7283 A4E7 4BBF Note: my NEW PGP key is available at http://www.pine.nl/~patrick/ Excuse of the day: bad ether in the cables
Current thread:
- move_uploaded_file breaks safe_mode restrictions in PHP Tozz (Mar 19)
- Re: move_uploaded_file breaks safe_mode restrictions in PHP Jedi/Sector One (Mar 20)
- <Possible follow-ups>
- Re: move_uploaded_file breaks safe_mode restrictions in PHP sesser (Mar 21)
- Re: move_uploaded_file breaks safe_mode restrictions in PHP Patrick Oonk (Mar 21)
- Message not available
- Re: move_uploaded_file breaks safe_mode restrictions in PHP sesser (Mar 21)
- Re: move_uploaded_file breaks safe_mode restrictions in PHP sesser (Mar 22)