Re: move_uploaded_file breaks safe_mode restrictions in PHP

[Patrick Oonk <patrick () pine nl>]

On Thu, Mar 21, 2002 at 10:55:18AM +0100, sesser () php net wrote:
> Hi,
>
> first of all i want to clearify, that move_uploaded_file isn't breaking
> safe_mode restrictions. move_uploaded_file lacked an openbasedir check.
> That feature was added on the request of tozz. move_uploaded_file was
> able to move files to directories writeable for the apache user because
> of some other bug (, that was fixed several days before the bugreport)
> that was not within move_uploaded_file but in some other place.
>
> Beside that: maybe you can tell me where the apache user has write
> access to (beside /tmp) on a properly configured system?
> This bug only allows to create new files, it is not possible to
> write to already existing files. So the whole "security" impact on
> a properly configured system is in my eyes that a customer is able
> to fill the harddisk.
>
>
> Stefan Esser

/usr/local/apache/proxy on a default apache install.

        p


-- 
 patrick oonk - pine internet - patrick () pine nl - www.pine.nl/~patrick
 T:+31-70-3111010 - F:+31-70-3111011 - Read news at http://security.nl 
 PGPid A4E74BBF  fp A7CF 7611 E8C4 7B79 CA36  0BFD 2CB4 7283 A4E7 4BBF
 Note: my NEW PGP key is available at http://www.pine.nl/~patrick/
 Excuse of the day: bad ether in the cables