[Forgot Password]
Login  Register Subscribe

23631

 
 

115038

 
 

96174

 
 

909

 
 

78077

 
 

109

Paid content will be excluded from the download.


Download | Alert*
CWE
view XML

Incomplete Identification of Uploaded File Variables (PHP)

ID: 616Date: (C)2012-05-14   (M)2012-11-08
Type: weaknessStatus: INCOMPLETE
Abstraction Type: Variant





Description

The PHP application uses an old method for processing uploaded files by referencing the four global variables that are set for each file (e.g. $varname, $varname_size, $varname_name, $varname_type). These variables could be overwritten by attackers, causing the application to process unauthorized files.

Extended Description

These global variables could be overwritten by POST requests, cookies, or other methods of populating or overwriting these variables. This could be used to read or process arbitrary files by providing values such as "/etc/passwd".

Applicable Platforms
Language: PHP

Time Of Introduction

  • Implementation

Common Consequences

ScopeTechnical ImpactNotes
Confidentiality
Integrity
 
Read files or directories
Modify files or directories
 
 

Detection Methods
None

Potential Mitigations

PhaseStrategyDescriptionEffectivenessNotes
Architecture and Design
 
 Use PHP 4 or later.
 
  
Architecture and Design
 
 If you must support older PHP versions, write your own version of is_uploaded_file() and run it against $HTTP_POST_FILES['userfile']))
 
  
Implementation
 
 For later PHP versions, reference uploaded files using the $HTTP_POST_FILES or $_FILES variables, and use is_uploaded_file() or move_uploaded_file() to ensure that you are dealing with an uploaded file.
 
  

Relationships

Related CWETypeViewChain
CWE-616 ChildOf CWE-896 Category CWE-888  

Demonstrative Examples   (Details)

  1. "The global $_FILES exists as of PHP 4.1.0 (Use $HTTP_POST_FILES instead if using an earlier version). These arrays will contain all the uploaded file information."
  2. As of 2006, the "four globals" method is probably in sharp decline, but older PHP applications could have this issue.

Observed Examples

  1. CVE-2002-1460 : Forum does not properly verify whether a file was uploaded or if the associated variables were set by POST, allowing remote attackers to read arbitrary files.
  2. CVE-2002-1759 : Product doesn't check if the variables for an upload were set by uploading the file, or other methods such as $_POST.
  3. CVE-2002-1710 : Product does not distinguish uploaded file from other files.

For more examples, refer to CVE relations in the bottom box.

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings

TaxynomyIdNameFit
PLOVER  Incomplete Identification of Uploaded File Variables (PHP)
 
 

References:

  1. Shaun Clowes .A Study in Scarlet - section 5, "File Upload".

© 2013 SecPod Technologies