Red Hat Bugzilla – Bug 41229
php-3.0.18 uses insecure tmp-files
Last modified: 2007-04-18 12:33:19 EDT
Description of Problem:
Php tempnam function creates insecure temporary filenames. This
function calls mktemp/tempnam --> files are created afterwards without
O_EXCL. Insecure temporary files are created for example with form
This can be quite nasty with imp-webmail: First user uploads a file (so
user controls the filecontent) and php3 creates tmp file
called "/tmp/phpXXXXXX" (this file creation has the tmp-race). After
that it's imps job to copy the tmp file, and imp does a
copy("/tmp/phpXXXXXX", "/tmp/phpXXXXXXX.att") without checking that the
/tmp/phpXXXXXX.att file doesn't exist (imp problem).
One possible workaround is to set the 'upload_tmp_dir' variable in
php3.ini away from world-writable directory.
Created attachment 18890 [details]
Experimental patch for php-3.0.18 to use mkstemp/fdopen for file uploads
Created attachment 19072 [details]
Fixed patch: Now should work when upload_tmp_dir is not set.
Is this still relevant?
6.2 is no longer supported for errata and was the last Red Hat version to ship
with PHP version 3