[ SOURCE: http://www.secureroot.com/security/advisories/9688268470.html ] Problem ======== PHP supports RFC 1867 based file uploads. PHP saves uploaded files in a temporary directory on the server, using a temporary name. This temporary name is exposed to the PHP script as $FOO, where "FOO" is the name of the file input tag in the submitted form. Many PHP scripts process $FOO without taking measures to ensure that it is in fact a file that resides in a temporary directory. It's possible for a remote attacker to supply arbitrary file names as values for FOO, by submitting a standard form input tag by that name, and thus cause the PHP script to process arbitrary files. Impact ======= The impact varies among different scripts, and depends on the action that the script performs on the uploaded file. Note that the actions that are performed on the uploaded file are (usually) being done with the permissions of the Web server user (usually 'nobody'). Affected software versions ========================== The problem is not in the source code of PHP, and is thus not related to any particular version of PHP; However, many PHP scripts may suffer from it, because there was no standard, easy way of testing whether a certain file is indeed a temporary uploaded file, or any other file on the system. This means that the previous posts on Bugtraq were not accurate - there's no way to make a patch for PHP that prevents scripts from being vulnerable to this exploit, the logic in the scripts themselves has to be modified. Note that prior to PHP 4.0, there is no way to turn 'register_globals' off, thus eliminating the ability of remote attackers to define variables in PHP's global scope (it's possible to prevent PHP 3.0 from processing HTTP variables completely by setting gpc_order to "" in php.ini, but there's no convenient way to access HTTP data that way). Solution ======== Never trust any input that may be coming from the remote user. Always test whether the variable you expect to contain the path of an upload file, actually contains a file path of a temporary file in the system. It is strongly recommended to turn register_globals off if possible. If register_globals is off, you can safely check $HTTP_POST_VARS[] for information about the upload files (see below). If register_globals is kept on, one must realize that any variable in the global scope might be overwritten by remote user input. Software Updates ================== New versions of PHP have been packaged (4.0.3RC1 and 3.0.17RC1), to make it easier to secure scripts from this vulnerability. They include a new function that make it easy to determine whether a certain filename is a temporary uploaded file or not: /* Test whether a file is an uploaded file or not */ is_uploaded_file($path); PHP 4.0.3 also features a new convenience function: /* Move an uploaded file to a new location. If the file is not * a valid upload file, no action will take place. */ move_uploaded_file($path, $new_path); In addition, as of PHP 4.0.3, it's safe to use $HTTP_POST_FILES["FOO"]["tmp_name"] - which cannot be written to by any remote user input, even when register_globals is on. The new versions are currently in testing, and thus have the RC tag. PHP 4.0.3RC1: http://www.php.net/do_download.php?download_file=php-4.0.3RC1.tar.gz PHP 3.0.17RC1 (upgrading to PHP 4.0 is strongly recommended): http://www.php.net/distributions/php-3.0.17RC1.tar.gz Further Information =================== Consult the PHP manual, particularly the 'PHP variables' section of http://www.php.net/manual/language.variables.predefined.php Acknowledgements ================== - Shaun Clowes from SecureReality, for pointing out this issue in the first place and helping in its assessment. - Jon Ribbens, for helping out in the discussion about how to address this issue (albeit in a fairly ugly manner). - The PHP documentation team, and especially Lars Torben Wilson, for updating the online manual. PHP Group http://www.php.net/ -- Zeev Suraski http://www.zend.com/