||Home : Advisories : PHP Security Advisory - File Uploads|
||PHP Security Advisory - File Uploads
||11th September 2000
PHP supports RFC 1867 based file uploads. PHP saves uploaded files in a
temporary directory on the server, using a temporary name. This temporary
name is exposed to the PHP script as $FOO, where "FOO" is the name of the
file input tag in the submitted form. Many PHP scripts process $FOO
without taking measures to ensure that it is in fact a file that resides in
a temporary directory. It's possible for a remote attacker to supply
arbitrary file names as values for FOO, by submitting a standard form input
tag by that name, and thus cause the PHP script to process arbitrary files.
The impact varies among different scripts, and depends on the action that
the script performs on the uploaded file. Note that the actions that are
performed on the uploaded file are (usually) being done with the
permissions of the Web server user (usually 'nobody').
Affected software versions
The problem is not in the source code of PHP, and is thus not related to
any particular version of PHP; However, many PHP scripts may suffer from
it, because there was no standard, easy way of testing whether a certain
file is indeed a temporary uploaded file, or any other file on the
system. This means that the previous posts on Bugtraq were not accurate -
there's no way to make a patch for PHP that prevents scripts from being
vulnerable to this exploit, the logic in the scripts themselves has to be
Note that prior to PHP 4.0, there is no way to turn 'register_globals' off,
thus eliminating the ability of remote attackers to define variables in
PHP's global scope (it's possible to prevent PHP 3.0 from processing HTTP
variables completely by setting gpc_order to "" in php.ini, but there's no
convenient way to access HTTP data that way).
Never trust any input that may be coming from the remote user. Always test
whether the variable you expect to contain the path of an upload file,
actually contains a file path of a temporary file in the system.
It is strongly recommended to turn register_globals off if possible. If
register_globals is off, you can safely check $HTTP_POST_VARS for
information about the upload files (see below). If register_globals is
kept on, one must realize that any variable in the global scope might be
overwritten by remote user input.
New versions of PHP have been packaged (4.0.3RC1 and 3.0.17RC1), to make it
easier to secure scripts from this vulnerability. They include a new
function that make it easy to determine whether a certain filename is a
temporary uploaded file or not:
/* Test whether a file is an uploaded file or not */
PHP 4.0.3 also features a new convenience function:
/* Move an uploaded file to a new location. If the file is not
* a valid upload file, no action will take place.
In addition, as of PHP 4.0.3, it's safe to use
$HTTP_POST_FILES["FOO"]["tmp_name"] - which cannot be written to by any
remote user input, even when register_globals is on.
The new versions are currently in testing, and thus have the RC tag.
PHP 3.0.17RC1 (upgrading to PHP 4.0 is strongly recommended):
Consult the PHP manual, particularly the 'PHP variables' section of
- Shaun Clowes from SecureReality, for pointing out this issue in the
first place and helping in its assessment.
- Jon Ribbens, for helping out in the discussion about how to address this
issue (albeit in a fairly ugly manner).
- The PHP documentation team, and especially Lars Torben Wilson, for
updating the online manual.