ID: 30609 Updated by: [EMAIL PROTECTED] Reported By: guillaume dot maes at celeonet dot fr -Status: Wont fix +Status: Closed Bug Type: cURL related -Operating System: Linux +Operating System: * -PHP Version: 4.3.9 +PHP Version: 4CVS, 5CVS (2005-03-13) -Assigned To: +Assigned To: sniper New Comment:
This bug has been fixed in CVS. Snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. Thank you for the report, and for helping us make PHP better. Previous Comments: ------------------------------------------------------------------------ [2005-03-01 16:41:29] [EMAIL PROTECTED] http://www.php.net/~jani/patches/bug30609.patch ------------------------------------------------------------------------ [2004-11-01 07:56:01] [EMAIL PROTECTED] Yes, you need to configure/install curl not to allow access to the local filesystem. It has a nice configure option for that when you are installing it. ------------------------------------------------------------------------ [2004-11-01 05:14:24] say at no dot to dot spam any solution to this? other then disabling curl ------------------------------------------------------------------------ [2004-10-29 10:43:45] [EMAIL PROTECTED] Sorry, this one should be open =) I do think it should be fixed and no, this is not a cURL problem. ------------------------------------------------------------------------ [2004-10-29 10:21:17] guillaume dot maes at celeonet dot fr Description: ------------ PHP cURL functions bypass open_basedir protection, so users can navigate through filesystem. For example, setting "open_basedir" in php.ini to "/var/www/html" anybody can retrieve "/etc/parla" using cURL functions This vulnerability has been discovered wednesday :http://www.securitytrap.com/mail/bugtraq/2004/Oct/0287.html Reproduce code: --------------- <?php $ch = curl_init("file:///etc/parla"); $file=curl_exec($ch); echo $file ?> Expected result: ---------------- The execution of the file /etc/parla is not allowed because the value of openbase_dir restriction is /var/www/html. Actual result: -------------- The file /etc/parla is executed. If /etc/parla contents : <body><html> Test of vulnerability </html></body> The execution of this code with cURL functions showns the message. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=30609&edit=1
