Bug 70775 - Uploaded files have execute permission set
Uploaded files have execute permission set
Status: CLOSED WONTFIX
Product: Red Hat Linux
Classification: Retired
Component: apache (Show other bugs)
7.2
i386 Linux
low Severity low
: ---
: ---
Assigned To: Joe Orton
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2002-08-04 23:26 EDT by kop
Modified: 2005-10-31 17:00 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-09-21 06:51:19 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description kop 2002-08-04 23:26:01 EDT
Description of Problem:

I've a php script which uploads files.  These files arrive on the
server (after move_uploaded_file()) with ugo execute permission set.

This can't be good.

Version-Release number of selected component (if applicable):
php-4.0.6-15
apache-1.3.22-6

How Reproducible:

Always.

Steps to Reproduce:

Upload file with php, save with move_uploaded_file.


Expected Results:

I'd expect u=rw,g=rw,o=r permissions (group rw allows "collaboration"
between webserver and others.)

Additional Information:

Am using the default umask in the apache config file. (i.e. umask
never specified.)

My script does contain the code:
// Make the temp directory.
$mask = umask(05002);    // Turn off setuid, sticky bit, and 'other' write
mkdir($temppath, 02774); // Allow anybody to read but not decend
umask($mask);

Later, the uploaded file is moved into $temppath with move_uploaded_file().
This shouldn't matter, but.... (Other files created with fopen, fwrite, fclose
are not executable.)

See also?: Bug#:41229

What is the default upload directory (/etc/php.ini says it's "the system
default") so I can add an appropriate umask to the apache configuration file?
Maybe the default apache umask should be && 0111?

P.S.  It seems a little uncivil to be reporting security problems in
what amounts to a public forum. Is there another way?  (I assigned priority
"low" as it takes another exploit to take advantage of this behavior.)
Comment 1 kop 2002-08-04 23:35:51 EDT
Presently permissions on uploaded files are: -rwxr-xr-x
Comment 2 Gary Benson 2002-08-13 07:58:44 EDT
You'd only be able to exploit this if your script saved uploaded files into
somewhere that the webserver would execute them.  If you _are_ doing this then
you should stop, since you can make an exploit without requiring execute
permissions: PHP, mod_perl, mod_python, etc don't require their scripts be
executable.

It is, however, a little strange that they arrive with execute permissions set,
and it should probably be fixed.  In the meantime you can always fix this in
your script by chmod()ing them (see
http://www.php.net/manual/en/function.chmod.php).

By the way, using umask() in your script probably won't work since PHP downloads
the file before any of your code executes.
Comment 3 Joe Orton 2004-09-21 06:51:19 EDT
Thanks for the report.  This is a mass bug update; since this release
of Red Hat Linux is no longer supported, please either:

a) try and reproduce the bug with a supported version of Red Hat
Enterprise Linux or Fedora Core, and re-open this bug as appropriate
after changing the Product field, or,

b) if relevant, try and reproduce this bug using the current version
of the upstream package, and report the bug upstream.

Note You need to log in before you can comment on or make changes to this bug.