PHP tempname()º¯ÊýÈƹýsafe_mode°²È«ÏÞÖÆ©¶´
BUGTRAQ ID: 36555
CVE ID: CVE-2009-3557
PHPÊǹ㷺ʹÓõÄͨÓÃÄ¿µÄ½Å±¾ÓïÑÔ£¬ÌرðÊʺÏÓÚWeb¿ª·¢£¬¿ÉǶÈëµ½HTMLÖС£
PHPµÄtempnam()ÖеĴíÎó¿ÉÄÜÔÊÐíÈƹýsafe_modeÏÞÖÆ¡£ÒÔÏÂÊÇext/standard/file.cÖеÄÓЩ¶´´úÂë¶Î£º
PHP_FUNCTION(tempnam)
{
char *dir, *prefix;
int dir_len, prefix_len;
size_t p_len;
char *opened_path;
char *p;
int fd;
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ss", &dir, &dir_len,
&prefix, &prefix_len) == FAILURE) {
return;
}
if (php_check_open_basedir(dir TSRMLS_CC)) { [1]
RETURN_FALSE;
}
php_basename(prefix, prefix_len, NULL, 0, &p, &p_len TSRMLS_CC);
if (p_len > 64) {
p[63] = '\0';mud pump
}
if ((fd = php_open_temporary_fd(dir, p, &opened_path TSRMLS_CC)) >= 0) {
close(fd);
RETVAL_STRING(opened_path, 0);
}
efree(p);
}
ÔÚ[1]´¦tempnam()º¯Êý½ö¼ì²éÁËopen_basedirÖµ¡£
<*²Î¿¼
http://securityreason.com/securityalert/6601
http://secunia.com/advisories/37412/
*>
SEBUG°²È«½¨Òé:
³§É̲¹¶¡£º
PHP
---
Ä¿Ç°³§ÉÌÒѾ·¢²¼ÁËÉý¼¶²¹¶¡ÒÔÐÞ¸´Õâ¸ö°²È«ÎÊÌ⣬Çëµ½³§É̵ÄÖ÷Ò³ÏÂÔØ£º
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_2/ext/standard/file.c?view=log
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/standard/file.c?view=log
ÖýÂÁ¼þ ĥúÅç·Û»ú ·ç»úÒ¶ÂÖ Öýͼþ
Ïà¹ØÎĵµ£º
¡¡ 1¡¢ÓÃPHP´òÓ¡³öÇ°Ò»ÌìµÄʱ¼ä¸ñʽÊÇ2006-5-10 22:21:21(2·Ö)
¡¡¡¡2¡¢echo(),print(),print_r()µÄÇø±ð(3·Ö)
¡¡¡¡3¡¢Äܹ»Ê¹HTMLºÍPHP·ÖÀ뿪ʹÓõÄÄ£°å(1·Ö)
¡¡¡¡4¡¢Ê¹ÓÃÄÄЩ¹¤¾ß½øÐа汾¿ØÖÆ?(1·Ö)
¡¡¡¡5¡¢ÈçºÎʵÏÖ×Ö·û´®·×ª?(3·Ö)
¡¡¡¡--------------------------------------------------------------- ......
strtotimeº¯ÊýÊÇÒ»¸öºÜºÃµÄº¯Êý,Áé»îµÄÔËÓÃËü,»á¸øÄãµÄ¹¤×÷´øÀ´²»ÉÙ·½±ã.µ«PHPµÄÊÖ²áÖÐÈ´¶Ô´Ëº¯ÊýµÄ²ÎÊýû×÷Ì«¶à½éÉÜ,¶ÔЩº¯ÊýµÄÆäËû½éÉÜÒ²·Ç³£ÉÙ¡£
ÏÈ¿´ÊÖ²á½éÉÜ£º
strtotime — ½«ÈκÎÓ¢ÎÄÎı¾µÄÈÕÆÚʱ¼äÃèÊö½âÎöΪ Unix ʱ¼ä´Á
¸ñʽ£ºint strtotime ( string $time [, int $now ] )
¡¡¡¡±¾º¯ÊýÔ¤ÆÚ½ÓÊÜÒ ......
PHP ÖÐÇÉÓÃÊý×é½µµÍ³ÌÐòµÄʱ¼ä¸´ÔÓ¶È
±¾ÎÄÖ÷ÒªÊǽéÉÜÔÚ PHP µÄ±à³ÌÖУ¬ÈçºÎÇÉÓÃÊý×éÀ´½µµÍÒò¶à²ãÑ»·¶øÒýÆðµÄʱ¼ä¸´ÔӶȵÄÎÊÌâ¡£ÌرðÊǵ±³ÌÐòÐèÒª¶à´ÎÓëÊý¾Ý¿â½»»¥Ê±£¬Óô˷½·¨À´ÓÅ»¯ÄãµÄ´úÂ룬½«»á´ø¸øÒâÏë²»µ½µÄЧ¹û¡£
ͨ³£¿ª·¢ÈËÔ±ÔÚд³ÌÐòµÄʱºò£¬ÍùÍùÊÇ°ÑÒѾÉè¼ÆºÃ»òÕß¹¹Ë¼ºÃµÄÔËËãÂß¼£ ......
OpenX adserver version 2.8.1 and lower is vulnerable to remote code
execution. To be exploited, this vulnerability requires banner / file
upload permissions, such as granted to the 'advertiser' and
'administrator' roles.
This vulnerability is caused by the (insecure) file upload mechanism of
af ......
