Bugzilla – Bug 924970
VUL-0: CVE-2015-2348: php5,php53: The move_uploaded_file implementation in ext/standard/basic_FUNCTIONs.c in PHP before 5.4.39, 5.5.x ...
Last modified: 2015-09-10 15:53:03 UTC
via cve db CVE-2015-2348 The move_uploaded_file implementation in ext/standard/basic_FUNCTIONs.c in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 truncates a pathNAME upon encountering a x00 character, which allows remote attackers to bypass intended extension restrictions and create files with unexpected NAMEs via a crafted second argument. NOTE: this vulnerability exists because of an incomplete fix for bug CVE-2006-7243. References: http://git.php.net/?p=php-src.git;a=commit;h=1291d6bbee93b6109eb07e8f7916ff1b7fcc13e1 https://bugs.php.net/bug.php?id=69207
bug 654853 is the old one. 5.2. is not affected, 5.3 or later is affected.
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2015-04-13. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/61384
bugbot adjusting priority
Tested like this: # zypper in apache2-mod_php5 # systemctl start apache2 # cat /srv/www/htdocs/upload.html <html> <body> <form action="upload.php" method="post" enctype="multipart/form-data"> <label for="file">Filename:</label> <input type="file" name="file" id="file" /> <br /> <input type="submit" name="submit" value="Submit" /> </form> </body> </html> # cat /srv/www/htdocs/upload.php <?php if ($_FILES["file"]["error"] > 0) { echo "Error: " . $_FILES["file"]["error"] . "<br />"; } else { echo "Upload: " . $_FILES["file"]["name"] . "<br />"; echo "Type: " . $_FILES["file"]["type"] . "<br />"; echo "Size: " . ($_FILES["file"]["size"] / 1024) . " Kb<br />"; $tmpname = $_FILES["file"]["tmp_name"]; echo "Stored in: " . $tmpname. "<br />"; if (move_uploaded_file($tmpname, $tmpname.".php\x00.jpg")) { foreach (glob($tmpname.".php*") as $filename) { echo "Moved to: $filename<br />"; } } else { echo 'Can not move. <br />'; } } ?> Open http://localhost/upload.html, choose a file and submit. BEFORE: Upload: .bashrc Type: application/octet-stream Size: 1.3095703125 Kb Stored in: /tmp/phpAyvjEx Moved to: /tmp/phpAyvjEx.php # rcapache2 restart AFTER: Upload: .bashrc Type: application/octet-stream Size: 1.3095703125 Kb Stored in: /tmp/phpR86gPX Can not move.
Hmm, I get correct behaviour (as I understand it) for 11sp3/5.3: Upload: .bashrc Type: application/octet-stream Size: 1.3095703125 Kb Stored in: /tmp/phpNY9M94 Can not move.
12 is affected: Upload: .bashrc Type: application/octet-stream Size: 1.3095703125 Kb Stored in: /tmp/phpk2gauC Moved to: /tmp/phpk2gauC.php
13.2 is affected: Upload: .bashrc Type: application/octet-stream Size: 1.3095703125 Kb Stored in: /tmp/phpAyvjEx Moved to: /tmp/phpAyvjEx.php
13.1 affected too Upload: images.jpg Type: image/jpeg Size: 7.76953125 Kb Stored in: /tmp/phpeCZuoC Moved to: /tmp/phpeCZuoC.php
Packages submitted.
Could you check the openSUSE submission? https://build.opensuse.org/request/show/293989 Unfortunately we just released a PHP update which broke the source link. Could you osc pull and re-submit?
openSUSE-SU-2015:0684-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 924970,924972,925109 CVE References: CVE-2015-2348,CVE-2015-2787 Sources used: openSUSE 13.2 (src): php5-5.6.1-18.1 openSUSE 13.1 (src): php5-5.4.20-49.1
SUSE-SU-2015:0868-1: An update that solves 9 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 922022,922451,922452,923946,924970,924972,925109,928408,928506,928511 CVE References: CVE-2014-9705,CVE-2014-9709,CVE-2015-2301,CVE-2015-2305,CVE-2015-2348,CVE-2015-2783,CVE-2015-2787,CVE-2015-3329,CVE-2015-3330 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): php5-5.5.14-22.1 SUSE Linux Enterprise Module for Web Scripting 12 (src): php5-5.5.14-22.1
releasded. SLE11 SP3 / SP4 is not affected.