Possible file upload attack

I used the automatic installer and everything seems to work except that I cannot upload anything!!
I can create folders and delete images, but not upload!?
It says "Possible file upload attack!".
I have stepped through all settings but cannot understand why it doesn't work.

Ok, there should be other

Ok, there should be other error message in that case, something like:

"Unable to upload file"

I'll change that in next version.

It only means, that it PHP was unable to move uploaded file from tmp to the photos directory, i.e. the call of function move_uploaded_file failed.

Check the access rights on your cache directory. As the uploaded file is first moved to cache directory, and after that copied to your photo dir via ftp.

Hmmm... The phpAlbum cache

Hmmm...
The phpAlbum cache directory has full access rights, so I still don't understand what is going on.
The Photos directory has also full access rights.
Where is the "tmp" directory located? I don't seem to have any with that name on my site.

I have included a snapshot of the error log with the private things removed (replaced with words within <> ).
move_uploaded_file() [function.move-uploaded-file]: open_basedir restriction in effect. File(/tmp/php8nSk1J) is not within the allowed path(s): (/usr/tmp/upload/:/home/0/b0011740/www/.se/)
/home/0//www/leandersbros.se/phpAlbum/setup.php (Line:878) Warning
07/07/11 15:21:04 move_uploaded_file(/tmp/php8nSk1J) [function.move-uploaded-file]: failed to open stream: Operation not permitted
/home/0//www/.se/phpAlbum/setup.php (Line:878) Warning
07/07/11 15:21:04 move_uploaded_file() [function.move-uploaded-file]: Unable to move '/tmp/php8nSk1J' to 'cache_52a7fa9c/s�kn.jpg'
/home/0//www/.se/phpAlbum/setup.php (Line:878)

Ask your admins to allow you

Ask your admins to allow you to access files in /tmp/ directory, as this is used by PHP to temporarily store uploaded files. Other wise you won't be able upload files with any php application...

I already have the right

I already have the right access to the /tmp/ dir according to the admins.

I just thought of one thing:
The installer on this website is able to add 4 pictures during installation. Is the installer using the /tmp/ dir or does it add the pictures some other way?

To solve this problem into

To solve this problem into my webserver, I've been added a directive into vhost configuration:

php_admin_value upload_tmp_dir /home/wwwusers/phpalbum/cache_xxx/

That's cool you found the

That's cool you found the solution for your problem.

This 4 pictures are added

This 4 pictures are added other way, directly with FTP into the photos directory. If you use uploader in phpAlbum, it is done with Uploading it over HTTP which is then using this temporary directory.

More than 3 files is not possible

I tried a litte an found the following behaviour. If you pack more than 3 files to a zip archive the attack message appears. This is independent to the security attributes.

Can you please check this?

Thank you in advance,
Fireball

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.