Last night security news broke of a“PHP arbitrary file upload Vulnerability”, CVE number: CVE-2 0 1 5-2 3 4 8 in. At the time landlord is ready to pack up and go home, see this news my heart a surprised: the lost rivers and lakes for many years the 0 character truncation upload vulnerability and reproduce? But also affect so many versions! If the vulnerability is true, it seems that tonight and overnight patching.
But after a simple analysis, find vulnerabilities take advantage of the conditions quite harsh-many people curious about how demanding, and the landlord simply record your own analysis of the process and share with you, as there is improper, please correct me.
A vulnerability overview
Vulnerability report that the php upload function move_uploaded_file object of the path parameter can use null character truncation, and bypass jpg, png upload type detection, which leads to arbitrary file upload. Reports are given of testing EXP to:
According to the bug report's description 5.3 later versions are affected by the impact of https://bugs.php.net/bug.php?id=69207）
Second, vulnerability testing
To verify the vulnerability the validity of the landlord to build a test environment, version 5.3.6, the structure of the test code is as follows:
上传 前台 页面 upload.htm:
上传 处理 脚本 upload.php
Test upload upload. php always fails to return false
So for a version 5. 3. 2 9, still not the test is successful, could it be my testing method is wrong, then look at the source code.
Third, the vulnerability to debug
move_uploaded_file code implemented in ext/standard/basic_functions. c file, the key code:
The code has a few return false's logic, then the test is unsuccessful is certainly hit one of logic.