PHPBuilder.com, the best resource for PHP tutorials, templates, PHP manuals, content management systems, scripts, classes and more.

Linux Today
Enterprise Linux Today
Apache Today
JustLinux.com
Linux Planet
PHPBuilder
All Linux Devices
Hiermenus
DatabaseJournal
Technology Jobs

IT
Developer
Internet News
Small Business
Personal Technology
International

Search internet.com
Advertise
Corporate Info
Newsletters
Tech Jobs
E-mail Offers

Covalent Extends Apache 2.0 to Microsoft ASP.NET
ShopWorX - Support for Windows
PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and 4.2.1
Network Risk Assessment
Full-Featured, Java-Based Apache GUI

Partners & Affiliates

phpwiki - The Wiki for PHP Developers
Creating an Online Survey - Part 2
In Case You Missed It...The Week of August 15, 2005
Creating a PHP-Based Content Management System
In Case You Missed It... The Month of February, 2007

RE: [PHP-DEV] FW: (SRADV00001) Arbitrary file disclosure throughPHP file upload From: Signal 11 (signal11 <email protected>)
Date: 09/04/00

Next message: Rasmus Lerdorf: "Re: [PHP-DEV] RE: (SRADV00001) Arbitrary file disclosure through PHP file upload"
Previous message: Signal 11: "[PHP-DEV] RE: (SRADV00001) Arbitrary file disclosure through PHP file upload"
In reply to: Rasmus Lerdorf: "Re: [PHP-DEV] FW: (SRADV00001) Arbitrary file disclosure through PHP file upload"
Next in thread: Zeev Suraski: "RE: [PHP-DEV] FW: (SRADV00001) Arbitrary file disclosure throughPHP file upload"
Reply: Zeev Suraski: "RE: [PHP-DEV] FW: (SRADV00001) Arbitrary file disclosure throughPHP file upload"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> He is a little bit confused. This has nothing to do with register_globals
> and turning off register_globals does nothing to fix this issue. I
> committed a patch which fixes the problem, but we will probably refine it.

More than a little! I posted some more information to bugtraq so that
people can view the bug in the database. You might want to just tag a note
on that bug id saying a patch has been committed and will be available
shortly... aleph usually takes about 4-8 hours to get to messages..

> My suggestion is for people to simply check their $userfile_name variable
> and make sure they are copying a file from their tmp directory and nowhere
> else. And of course, your web server user id should not have access to
> sensitive files on your system anyway.

Well, I made the suggestion to check the filesize.. although your
suggestion should have been obvious to me. Ngggh... that's what I get
for trying to think at 2 in the morning. :\

~ Signal 11

-- 
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: php-dev-unsubscribe <email protected>
For additional commands, e-mail: php-dev-help <email protected>
To contact the list administrators, e-mail: php-list-admin <email protected>

Next message: Rasmus Lerdorf: "Re: [PHP-DEV] RE: (SRADV00001) Arbitrary file disclosure through PHP file upload"
Previous message: Signal 11: "[PHP-DEV] RE: (SRADV00001) Arbitrary file disclosure through PHP file upload"
In reply to: Rasmus Lerdorf: "Re: [PHP-DEV] FW: (SRADV00001) Arbitrary file disclosure through PHP file upload"
Next in thread: Zeev Suraski: "RE: [PHP-DEV] FW: (SRADV00001) Arbitrary file disclosure throughPHP file upload"
Reply: Zeev Suraski: "RE: [PHP-DEV] FW: (SRADV00001) Arbitrary file disclosure throughPHP file upload"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]