ID: 15928
Updated by: [EMAIL PROTECTED]
Reported By: [EMAIL PROTECTED]
-Status: Open
+Status: Closed
Bug Type: PHP options/info functions
Operating System: AIX
PHP Version: 4.1.2
New Comment:
This is already implemented.
Previous Comments:
------------------------------------------------------------------------
[2002-03-07 06:15:09] [EMAIL PROTECTED]
Security issue in move_uploaded_file() while in safe-mode
We have different web-sites running on our server. Each of them
may prepare a directory in which files may be written using php-upload
and move_uploaded_file(). Our webserver runs with
safe-mode-restriction.
The documentations says, as mentioned, that this is not unsafe.
Note: move_uploaded_file() is not affected by the normal
safe-mode UID-restrictions. This is not unsafe
because
move_uploaded_file() only operates on files
uploaded via PHP.
In fact, it is. If I know a directory of another website which
allows to upload files via php, I'll be able to write a file to this
location,
offering an upload-script on my website. I could on this way put
offending files in someone elses website, who probably protectet his
php-upload-script with .htaccess.
I would suggest that move_uploaded_file() should be modified that
way, that files may only be moved to directories whose owner is the
same as the upload-script while safe-mode restriction applies.
This approach would guarantee that nobody else as the people who
offers an upload-script will be able to put files in the owners
webspace.
After such a modification move_uploaded_file() will be really safe. At
present, it's not. It allows to skip safe-mode-restriction.
Kind regards and thanks for any feedback
Roberto
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=15928&edit=1
