[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Raq3 && PHP4.0.4pl1 => BIG SECURITY HOLE
- Subject: Re: [cobalt-users] Raq3 && PHP4.0.4pl1 => BIG SECURITY HOLE
- From: Marco Baurdoux <linux@xxxxxxxxxxxxx>
- Date: Thu Sep 13 21:34:30 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
Hi Scott,
The first time I upload this script
<?
system("/sbin/halt");
?>
The next time I create a script that changes the perms of this uploaded
file. I can modify the perms of the uploaded script via PHP because the
owner also is httpd. Now I execute the uploaded script.
Try it on a developpement machine and you'll see and have shivers go all
down your spine :-))
le 14.9.2001 12:58, Glen Scott à glen@xxxxxxxxxxxxxxxxxxxx a écrit :
>> Hi there,
>>
>> Some of our customers started complaining lately about the fact that onces
>> they uploaded files through PHP and used the "move_uploaded_file" function
>> of php the rights of the uploaded file would look like this.
>>
>> -rw------- 1 httpd root 66 Sep 13 15:53
>> /home/sites/home/web/tmp/test.file
>>
>> Which is off course a huge security hole !!!
>>
>
> Why is this a security hole? As far as I can see, the file can only
> be read and written to by the user 'httpd'. Isn't the group in this
> case irrelevant?
>
> Anyway, I can confirm that PHP4.0.6 sets the permissions for uploaded
> files in this way, too.
>
> Regards,
>
> Glen Scott
=======================================================================
Marco Baurdoux
Unix Administrator
Infomaniak Network SA
Avenue de la Praille 26
1227 Carouge
Switzerland
Tel: +41 (0)22 820 35 41
Fax: +41 (0)22 820 35 46
http://web.infomaniak.ch
=======================================================================