PHP Upload Arbitrary File Disclosure Vulnerability
BID:1649
Info
PHP Upload Arbitrary File Disclosure Vulnerability
| Bugtraq ID: | 1649 |
| Class: | Access Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | Yes |
| Published: | Sep 03 2000 12:00AM |
| Updated: | Sep 03 2000 12:00AM |
| Credit: | This vulnerability was originally posted to bugtraq by Secure Reality Advisories <[email protected]> on September 4, 2000. |
| Vulnerable: |
PHP PHP/FI 2.0 b10 PHP PHP/FI 2.0 PHP PHP/FI 1.0 PHP PHP 4.0 0 PHP PHP 3.0.13 PHP PHP 3.0.12 PHP PHP 3.0.11 PHP PHP 3.0.10 PHP PHP 3.0.9 PHP PHP 3.0.8 PHP PHP 3.0.7 PHP PHP 3.0.6 PHP PHP 3.0.5 PHP PHP 3.0.4 PHP PHP 3.0.3 PHP PHP 3.0.2 PHP PHP 3.0.1 PHP PHP 3.0 0 |
| Not Vulnerable: | |
Discussion
PHP Upload Arbitrary File Disclosure Vulnerability
PHP's handling of uploads means that PHP applications can be manipulated into opening arbitrary files on the server, rather than those uploaded by the user. This may permit a remote user to read any file located on the server which is readable by a user of the server's privilege level.
PHP's handling of uploads means that PHP applications can be manipulated into opening arbitrary files on the server, rather than those uploaded by the user. This may permit a remote user to read any file located on the server which is readable by a user of the server's privilege level.
Exploit / POC
PHP Upload Arbitrary File Disclosure Vulnerability
On any PHP script that allows file uploading, find the name assigned to the variable that contains the path and name of the temporary file that will be created in the upload process. Then POST to the PHP script referenced by the form action variable, setting the tempfile variable to the path and name of the file you wish to view.
An exploit including sample files was posted to Bugtraq by "Signal 11" <[email protected]> and is linked to in the credit section.
On any PHP script that allows file uploading, find the name assigned to the variable that contains the path and name of the temporary file that will be created in the upload process. Then POST to the PHP script referenced by the form action variable, setting the tempfile variable to the path and name of the file you wish to view.
An exploit including sample files was posted to Bugtraq by "Signal 11" <[email protected]> and is linked to in the credit section.
Solution / Fix
References
PHP Upload Arbitrary File Disclosure Vulnerability
References:
References:
- PHP Arbitrary File Disclosure - original PHP posting (PHP Development Team.)
- PHP bug database ID#6496 (PHP Development Team.)