1. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2000
    Eindhoven, NL
    Rep Power
    Source: http://www.jayniz.de/Arbitrary%20fil...e%20upload.txt

    I came across this interesting piece, don't know how relevant it is, but just check it.


    Arbitrary file disclosure through PHP file upload


    (We found this particular issue a while ago but were planning to disclose it
    at a later date once we had a chance to investigate its imact on most
    popular PHP software. However, the issue was recently half found/disclosed
    by a poster on the php-general mailing list, who didn't appear to realise
    its impact)

    _Almost_ any PHP program which provides file upload capability

    PHP is a feature heavy web scripting language that has become widely
    popular. One of its many features is easy handling of file uploads from
    remote browsers. This functionality is very commonly used, particularly in
    photo gallery, auction and webmail style applications.

    The way that PHP handles file uploads makes it simple to trick PHP
    applications into working on arbitrary files local to the server rather than
    files uploaded by the user. This will generally lead to a remote attacker
    being able to read any file on the server that can be read by the user the
    web server is running as, typically 'nobody'.

    1. File disclosure
    2. (1) will often lead to disclosure of PHP code
    3. (2) will often lead to disclosure of database authentication data
    4. (3) may lead to machine compromise

    When files are uploaded to a PHP script, PHP receives the file, gives it a
    random name and places it into a configured temporary directory. The PHP
    script is given information about the file that was uploaded in the form of
    4 global variables. Presuming the file field in the form was called 'hello',
    the 4 variables would be:
    $hello = Name of temporary file (e.g '/tmp/ASHDjkjbs')
    $hello_name = Name of file when it was on the remote computer (e.g
    $hello_type = Mime type of file (e.g 'text/plain')
    $hello_size = Size of uploaded file (e.g 2000 bytes)

    The temporary file is automatically deleted at the end of the execution of
    the script so the PHP script usually needs to move it somewhere else. For
    example, it might copy the file into a blob in a MySQL database.

    The problem is actually in the way PHP behaves by default. Unless
    deliberately configured otherwise (via register_globals = Off in php.ini)
    the values specified in form fields upon a submit are auctomatically
    declared by their form name as global variables inside the PHP script.

    If I had a form with an input field like
    <INPUT TYPE="hidden" NAME="test" VALUE="12">

    When the PHP script is called to handle the form input, the global variable
    $test is set. In my opinion this is a significant security risk, in fact,
    I'll be posting quite a few security issues based around it in the coming
    weeks). The problem is simple, cluttering the global namespace with user
    defined input so destablizes the environment that it is almost impossible to
    write in it securely.

    Back to the issue at hand. Using the fact mentioned above, we can create the
    four variables $hell, $hello_name, $hello_type, $hello_size ourselves using
    form input like the following
    <INPUT TYPE="hidden" NAME="hello" VALUE="/etc/passwd">
    <INPUT TYPE="hidden" NAME="hello_name" VALUE="c:scary.txt">
    <INPUT TYPE="hidden" NAME="hello_type" VALUE="text/plain">
    <INPUT TYPE="hidden" NAME="hello_size" VALUE="2000">

    This should lead the PHP script working on the passwd file, usually
    resulting in it being disclosed to the attacker.

    Unfortunately, I believe this style of problem to be impossible to fix with
    the default behaviour/configuration of PHP, I'll be demonstrating this with
    several adviories in the next few weeks.

    My suggestion to all administrators of PHP enabled boxes is to change the
    register_globals in php.ini to off, and switch track_vars to on. This will
    however lead to most PHP scripts breaking. In the short term, disable any
    PHP scripts you have that provide file upload functionality until the vendor
    of those scripts can provide a fix/determine non vulnerability.

    For PHP coders with little control over the configuration of the boxes they
    work on. Hopefully track_vars has been enabled on the box. Check if 'hello'
    is present in $HTTP_GET_VARS, $HTTP_POST_VARS or $HTTP_COOKIE_VARS, if it
    is, ignore the input.

    Advice, directions and instructions on security vulnerabilities in this
    advisory do not constitute: an endorsement of illegal behaviour; a guarantee
    that protection measures will work; an endorsement of any product or
    solution or recommendations on behalf of Secure Reality Pty Ltd. Content is
    provided as is and Secure Reality does not accept responsibity for any
    damange or injury caused as a result of its use.
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2000
    Rep Power
    Certainly interesting, but IIRC, php4rc1 was released 01-May-00 (warning article dated 09-Apr-00, presumably php3, or php4beta), and php4rc2 was supposed to fix remaining security holes, primarily for Win32 users.

    link doesn't work, has anyone seen this elsewhere?
  4. #3
  5. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2000
    Rep Power
    I believe it is meant to be read as released

    9-4-2000 as in Sept 4th, 2000. It is a real bug and a real issue.
  6. #4
  7. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2000
    Rep Power
    You are correct, PHP.net has it shown for 01-Sep-00. After working with the US Gov, Navy and MySQL, my date formats are all screwed, and the Euro format doesn't help my confusion any.
  8. #5
  9. Banned (not really)
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 1999
    Caro, Michigan
    Rep Power
    From php.net:

    // Make sure file is coming from upload directory
    $uploadpath = get_cfg_var('upload_tmp_dir') . '/' . basename($userfile);

    // If you have not set your TMPDIR in pnp.ini, the following line
    // can be uncommented, and used instead of the above line
    // $uploadpath = dirname(tempnam('', '')) . '/' . basename($userfile);

    if (file_exists($uploadpath)){
    copy ("$uploadpath", "/place/to/put/uploaded/file");
    } else {
    echo "Not an uploaded file!";

Similar Threads

  1. How to read multiple line text file into a variable
    By gatewaycityca in forum Visual Basic Programming
    Replies: 4
    Last Post: January 29th, 2004, 12:26 PM
  2. Replies: 4
    Last Post: January 11th, 2004, 11:34 AM
  3. Apache (Virtual Hosts) You better read, its important!
    By TRUSTpunk in forum Windows Help
    Replies: 0
    Last Post: December 14th, 2003, 03:12 AM
  4. replication: distributing read operations
    By JunkCookie in forum MySQL Help
    Replies: 3
    Last Post: December 10th, 2003, 02:22 AM
  5. read linux file with php
    By gamers in forum PHP Development
    Replies: 1
    Last Post: December 6th, 2003, 07:57 AM

IMN logo majestic logo threadwatch logo seochat tools logo