Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Is it somehow possible to trick a PHP fileupload to select a text document from the server?
Maybe by giving a link to the file in value="link-to-file.txt" in the HTML formular?
There are multiple steps to distinguish:
The browsers sends data to the webserver
PHP interprets this data, stores the file content in a temporary file and makes an entry in $_FILES
Your script does something with the array received in $_FILES and the content in the temporary file
As PHP and its beholding webservers are usually widely used, steps 1 and 2 should not allow the attacker to do bad things. The most vulnerable step is 3. The contents here can be manipulated by the attacker – and if you, e.g., use the filename to name the target-file on your server, this is dangerous without appropriate filtering.