[dev] imp-2.2.4 tmpfile problems ?

Brent J. Nordquist bjn@horde.org
Mon, 21 May 2001 10:25:50 -0500 (CDT)


On Fri, 18 May 2001, Jarno Huuskonen <Jarno.Huuskonen@uku.fi> wrote:

> I guess there is no problem with the actual file upload with php4, but the
> problem is in the imp copy call (compose.php3:L915):
>
> copy (safe_file($file_upload), safe_file($file_upload) . '.att');
>       ^^^^^This is OK(at least w/php4), but the second argument (destination)
> is just the original temporary filename with .att added to the end.
>
> Example: php creates a temporary filename: /tmp/php2nRC4r so the copy call
> will be:
> copy('/tmp/php2nRC4r', '/tmp/php2nRC4r.att').
> And the copy call does not check if the destination file '/tmp/php2nRC4r.att'
> exists / is a symlink.
>
> (OK I checked the php-4.0.5 source and it looks like that in safe mode
> the copy call has some checks (but I still think that even with that there's
> still temp-race)). Hope you can prove me wrong ;-)

Well, I think the burden of proof is on the one identifying the issue.
:-)  If you have a working exploit, pass it along.

If I'm reading the code right, in safe mode, copy() checks to ensure that
both the source and the target are owned by the uid of the current
process.  I can't see how there can be a /tmp race here... you would have
to create the target as the web server uid, which local (non-super-)users
can't do.

It also seems to me that any /tmp race, sym. link, or other issues with
PHP's copy() function and upload mechanism would be PHP issues, not
Horde/IMP issues, wouldn't they?

-- 
Brent J. Nordquist <bjn@horde.org> N0BJN
Yahoo!: Brent_Nordquist / AIM: BrentJNordquist / ICQ: 76158942