[cobalt-users] Raq3 && PHP4.0.4pl1 => BIG SECURITY HOLE

[Marco Baurdoux <linux@xxxxxxxxxxxxx>]

Hi there,

Some of our customers started complaining lately about the fact that onces
they uploaded files through PHP and used the "move_uploaded_file" function
of php the rights of the uploaded file would look like this.

-rw-------   1 httpd    root           66 Sep 13 15:53
/home/sites/home/web/tmp/test.file

Which is off course a huge security hole !!!

However this problem only seemed to appear after we installed the
Os-update-4 package. Before the rights on a machine were :

 -rwxrwxr-x   1 httpd    home           66 Sep 13 15:41
/home/sites/home/web/tmp/test.file


Now the code used to test this behaviour is as simple as
<?
if(move_uploaded_file($file, "/home/sites/home/web/tmp/test.file"))
{
    print ("Woaw Marco you're a genius. You did it again");
}
else
{
    print ("Marco, as a true friend, I suggest you go to your local book
store and purchase yourself a book about PHP for beginners");
}
?>

Now I'm completely puzzled.
Here's my configure line.
configure --with-mysql --with-gd --with-apxs --with-imap --enable-ftp

So nothing really special, nor experimental.
Apache runs user "httpd" and group "httpd" as usual.
PHP is compiled as a shared module of Apache.

A helping hand on this problem would be more then welcome, but most of all
could some of you please check this code on their machines, with the
OS-update-4.
The codes itself is absolutely harmless but the security hole it open
definitely is not.


=======================================================================

Marco Baurdoux
Unix Administrator
Infomaniak Network SA
Avenue de la Praille 26
1227 Carouge
Switzerland
Tel: +41 (0)22 820 35 41
Fax: +41 (0)22 820 35 46
http://web.infomaniak.ch

=======================================================================