Your Daily Source for Apache News and Information  
Breaking News Preferences Contribute Triggers Link Us Search About
Apache Today [Your Apache News Source] To internet.com

Apache HTTPD Links
The Apache FAQ
The Java Apache Project
Apache Module Registry
The Apache Software Foundation
Apache-Perl Integration Project
Apache Project
ApacheCon
Apache XML Project
The Jakarta Project
Apache-Related Projects
PHP Server Side Scripting
The Linux Channel at internet.com
Just Linux
Linux Planet
Linux Central
Linuxnewbie.org
BSD Central
Linux Apps
Linux Programming
Enterprise Linux Today
Linux Start
All Linux Devices
PHPBuilder
Linux Today
Apache Today
BSD Today
SITE DESCRIPTIONS
PHP Security Advisory - File Uploads
Sep 11, 2000, 20 :28 UTC (0 Talkback[s]) (3352 reads) (Other stories by Zeev Suraski)

Date: Mon, 11 Sep 2000 07:13:22 +0300
From: Zeev Suraski
To: [email protected]
Subject: PHP Security Advisory - File Uploads

Problem


PHP supports RFC 1867 based file uploads. PHP saves uploaded files in a temporary directory on the server, using a temporary name. This temporary name is exposed to the PHP script as $FOO, where "FOO" is the name of the file input tag in the submitted form. Many PHP scripts process $FOO without taking measures to ensure that it is in fact a file that resides in a temporary directory. It's possible for a remote attacker to supply arbitrary file names as values for FOO, by submitting a standard form input tag by that name, and thus cause the PHP script to process arbitrary files.

Impact


The impact varies among different scripts, and depends on the action that the script performs on the uploaded file. Note that the actions that are performed on the uploaded file are (usually) being done with the permissions of the Web server user (usually 'nobody').

Affected software versions


The problem is not in the source code of PHP, and is thus not related to any particular version of PHP; However, many PHP scripts may suffer from it, because there was no standard, easy way of testing whether a certain file is indeed a temporary uploaded file, or any other file on the system. This means that the previous posts on Bugtraq were not accurate - there's no way to make a patch for PHP that prevents scripts from being vulnerable to this exploit, the logic in the scripts themselves has to be modified.

Note that prior to PHP 4.0, there is no way to turn 'register_globals' off, thus eliminating the ability of remote attackers to define variables in PHP's global scope (it's possible to prevent PHP 3.0 from processing HTTP variables completely by setting gpc_order to "" in php.ini, but there's no convenient way to access HTTP data that way).

Solution


Never trust any input that may be coming from the remote user. Always test whether the variable you expect to contain the path of an upload file, actually contains a file path of a temporary file in the system.

It is strongly recommended to turn register_globals off if possible. If register_globals is off, you can safely check $HTTP_POST_VARS[] for information about the upload files (see below). If register_globals is kept on, one must realize that any variable in the global scope might be overwritten by remote user input.

Software Updates


New versions of PHP have been packaged (4.0.3RC1 and 3.0.17RC1), to make it easier to secure scripts from this vulnerability. They include a new function that make it easy to determine whether a certain filename is a temporary uploaded file or not:

/* Test whether a file is an uploaded file or not */
is_uploaded_file($path);

PHP 4.0.3 also features a new convenience function:

/* Move an uploaded file to a new location.  If the file is not
  * a valid upload file, no action will take place.
  */
move_uploaded_file($path, $new_path);
In addition, as of PHP 4.0.3, it's safe to use $HTTP_POST_FILES["FOO"]["tmp_name"] - which cannot be written to by any remote user input, even when register_globals is on.

The new versions are currently in testing, and thus have the RC tag.

PHP 4.0.3RC1:
http://www.php.net/do_download.php?download_file=php-4.0.3RC1.tar.gz

PHP 3.0.17RC1 (upgrading to PHP 4.0 is strongly recommended):
http://www.php.net/distributions/php-3.0.17RC1.tar.gz

Further Information


Consult the PHP manual, particularly the 'PHP variables' section of
http://www.php.net/manual/language.variables.predefined.php

Acknowledgements


- Shaun Clowes from SecureReality, for pointing out this issue in the first place and helping in its assessment.
- Jon Ribbens, for helping out in the discussion about how to address this issue (albeit in a fairly ugly manner).
- The PHP documentation team, and especially Lars Torben Wilson, for updating the online manual.

PHP Group
http://www.php.net/
--
Zeev Suraski
http://www.zend.com/

  Current Newswire:
Apache 2.0.32 beta is available

Everything Solaris: Apache: The Basics

Apache Jakarta James Mailserver v2.0a2 Released

PostgreSQL v7.2 Final Release

Daemon News: Multiple webservers behind one IP address

Zend Technologies launches Zend Studio 2.0

NuSphere first to enable development of PHP web services

Covalent Technologies raises $18 million in venture capital

Apache 1.3.23 released

wdvl: Build Your Own Database Driven Website Using PHP and MySQL: Part 4


No talkbacks posted.
Enter your comments below.
Your Name: Your Email Address:


Subject: CC: [will also send this talkback to an E-Mail address]
Comments:

See our talkback-policy for or guidelines on talkback content.

About Triggers Media Kit Security Triggers Login


All times are recorded in UTC.
Linux is a trademark of Linus Torvalds.
Powered by Linux 2.4, Apache 1.3, and PHP 4
Copyright 2002 INT Media Group, Incorporated All Rights Reserved.
Legal Notices,  Licensing, Reprints, & Permissions,  Privacy Policy.
http://www.internet.com/