#30610 [NEW]: cURL functions bypass open_basedir

Fri, 29 Oct 2004 01:30:33 -0700 

From:             guillaume dot maes at celeonet dot fr
Operating system: Linux
PHP version:      4.3.9
PHP Bug Type:     cURL related
Bug description:  cURL functions bypass open_basedir

Description:
------------
PHP cURL functions bypass open_basedir
protection, so users can navigate through
filesystem.

For example, setting "open_basedir" in php.ini to
"/var/www/html" anybody can retrieve "/etc/parla"
using cURL functions

This vulnerability has been discovered wednesday
:http://www.securitytrap.com/mail/bugtraq/2004/Oct/0287.html





Reproduce code:
---------------
<?php
$ch = curl_init("file:///etc/parla");
$file=curl_exec($ch);
echo $file
?> 

Expected result:
----------------
The execution of the file /etc/parla is not allowed because the value of
openbase_dir restriction is /var/www/html.

Actual result:
--------------
The file /etc/parla is executed. 

If /etc/parla contents :

<body><html> Test of vulnerability </html></body>

The execution of this code with cURL functions showns the message.

-- 
Edit bug report at http://bugs.php.net/?id=30610&edit=1
-- 
Try a CVS snapshot (php4):   http://bugs.php.net/fix.php?id=30610&r=trysnapshot4
Try a CVS snapshot (php5.0): http://bugs.php.net/fix.php?id=30610&r=trysnapshot50
Try a CVS snapshot (php5.1): http://bugs.php.net/fix.php?id=30610&r=trysnapshot51
Fixed in CVS:                http://bugs.php.net/fix.php?id=30610&r=fixedcvs
Fixed in release:            http://bugs.php.net/fix.php?id=30610&r=alreadyfixed
Need backtrace:              http://bugs.php.net/fix.php?id=30610&r=needtrace
Need Reproduce Script:       http://bugs.php.net/fix.php?id=30610&r=needscript
Try newer version:           http://bugs.php.net/fix.php?id=30610&r=oldversion
Not developer issue:         http://bugs.php.net/fix.php?id=30610&r=support
Expected behavior:           http://bugs.php.net/fix.php?id=30610&r=notwrong
Not enough info:             http://bugs.php.net/fix.php?id=30610&r=notenoughinfo
Submitted twice:             http://bugs.php.net/fix.php?id=30610&r=submittedtwice
register_globals:            http://bugs.php.net/fix.php?id=30610&r=globals
PHP 3 support discontinued:  http://bugs.php.net/fix.php?id=30610&r=php3
Daylight Savings:            http://bugs.php.net/fix.php?id=30610&r=dst
IIS Stability:               http://bugs.php.net/fix.php?id=30610&r=isapi
Install GNU Sed:             http://bugs.php.net/fix.php?id=30610&r=gnused
Floating point limitations:  http://bugs.php.net/fix.php?id=30610&r=float
MySQL Configuration Error:   http://bugs.php.net/fix.php?id=30610&r=mysqlcfg

Reply via email to