From: Bharat M. <bh...@me...> - 2008-07-30 14:35:30
|
Andy Staudacher wrote: > Only if we have an item / file with mime type == php/cgi/sh/pl/exe/... > in our system already. My discussion of this is purely theoretical, I don't know of any vulnerabilities here. But if we do the conversion by mime type and an attacker manages to get application/x-httpd-php into the database, then we might wind up converting foo.dat to tmp.php. > And the outputfile name of the operation is a temp file. We then move it > to the destination filename. > > How could "convert foo tmp.php" be a bad thing (when you move the file > to its destination filename afterwards)? > How would that be different from "convert foo php:tmp" ? If the attacker manages to set up a scenario where the move fails (no idea how to make that happen, but let's suppose) then there's a PHP file possibly of the attacker's creation hanging around in the tmp dir. If we did "convert foo.dat php:tempfile.tmp" then at least the temp file would not be executable in case it gets leaked. This seems like an unlikely and improbable scenario. But it's also easy to avoid by using prefixes, so I figured it'd be one less thing to worry about. -Bharat |