PHP 4.2.2 - File Upload Problem

From: Felipe Franciosi (franciozzy@terra.com.br)
Date: 08/31/02 

Date: Sat, 31 Aug 2002 15:49:06 -0300
From: Felipe Franciosi <franciozzy@terra.com.br>
To: vuln-dev@securityfocus.com

Hello all,

I noticed a problem using PHP 4.2.2 as a cgi parser and Apache 1.3.26 on
a slackware 8.0 box running kernel 2.2.21.

As I searched the online manual pages, I noticed that
"alexis AT mvs DOT com" had already seen this problem. I spoke with
him and he said PHP has not answered his questions about it.

The problem is when posting a file trought a form like this:

<FORM METHOD="POST" ACTION="script.php" ENCTYPE="multipart/form-data">
<INPUT TYPE="FILE" NAME="userfile">
<INPUT TYPE="SUBMIT" VALUE="Send File">
</FORM>

In 'script.php', the interpreter is supposed to configure an array
called "$_FILES" with several indexes:
$_FILES['userfile']['name']
$_FILES['userfile']['tmp_name']
$_FILES['userfile']['type']
$_FILES['userfile']['size']
$_FILES['userfile']['error']

The last one was supposed to follow this codes:

0 : UPLOAD_ERR_OK (file uploaded ok)
1 : UPLOAD_ERR_INI_SIZE (upload exceeds 'upload_max_filesize' in php.ini)
2 : UPLOAD_ERR_FORM_SIZE (upload exceeds 'MAX_FILE_SIZE' in html form)
3 : UPLOAD_ERR_PARTIAL (file uploaded partially)
4 : UPLOAD_ERR_NO_FILE (no file was uploaded)

The constants are only supposed to be defined in php 4.3.0, but there's
no problem with that.

The problem is that if you fill the form with a file that doesn't
exist and send it, $_FILES['userfile']['error'] will be set 0 (upload ok)!

The only way I found to check if a file was really uploaded is to check
the size of the file (it will also be set 0).

The point I'm trying to make here is to warn about this issue and to
question if there are ways to use this "bug" in cross-script hacking
anyway.

Thanks,
Felipe 

--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
 Felipe Franciosi    franciozzy@terra.com.br
 Porto Alegre - RS                    Brazil
 Phone: (55)(51) 9123 0557    UIN - 33596050
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Relevant Pages

  • Re: [PHP] Re: File Upload - post_max_size and upload_max_filesize in GBs
    ... When you hit the upload button the browser makes a connection to the server and the PHP engine gets invoked to handle the request. ...
    (php.general)
  • Re: file upload problem
    ... I am trying to learn about uploading files with php. ... I made a simple form script and and file up load script. ... The form script gets the file name correctly and seems to pass it to the upload script correctly. ... if I echo ini_getI see ...
    (comp.lang.php)
  • Re: file upload problem
    ... I am trying to learn about uploading files with php. ... I made a simple form script and and file up load script. ... The form script gets the file name correctly and seems to pass it to the upload script correctly. ... if I echo ini_getI see ...
    (comp.lang.php)
  • Re: Cannot find page- cgiemail
    ... This depends on your host server supporting PHP files ... index files folder which has all of the other files in it. ... i have even used my host's file builder to upload each file seperately ... where do i find out what extension my mailer has? ...
    (microsoft.public.publisher.webdesign)
  • Re: file creation: ownership
    ... >> I am hosting a blog on which I can upload pictures. ... first an applet uploads the picture by ftp and then a php ... finds the newly uploaded images and creates thumbnails with gd. ...
    (comp.lang.php)