ID: 36223 Updated by: [EMAIL PROTECTED] Reported By: stevewest15 at yahoo dot com Status: Closed Bug Type: Safe Mode/open_basedir Operating System: Redhat Enterprise 3.6 PHP Version: 4.4.2 New Comment:
I cannot confirm the fix in CVS, the following still works: <?php $ch = curl_init("file:///etc/passwd"); $file=curl_exec($ch); echo $file ?> shows the content of /etc/passwd using php4-STABLE-200602131136 and safe_mode=ON Previous Comments: ------------------------------------------------------------------------ [2006-02-01 09:25:23] [EMAIL PROTECTED] Feel free to try snapshots, that's why they are packaged. You don't have to *INSTALL* a snapshot to test it. ------------------------------------------------------------------------ [2006-02-01 09:06:45] stevewest15 at yahoo dot com > This bug has been fixed in CVS. But that is what was claimed with this release of 4.4.2. This is why we upgraded to 4.4.2. I'm not sure about using a CVS version on production servers but I hope a final version with this fix will be coming out soon. thx, SW ------------------------------------------------------------------------ [2006-01-31 11:57:54] [EMAIL PROTECTED] This bug has been fixed in CVS. Snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. Thank you for the report, and for helping us make PHP better. ------------------------------------------------------------------------ [2006-01-31 11:18:59] stevewest15 at yahoo dot com Description: ------------ PHP 4.4.2 still has the bug which allows CURL to bypass open_basedir restrictions. Your release notes for 4.4.2 state that it has been fixed...but it hasn't! :-( Here is the configure line for PHP: './configure' '--localstatedir=/var/hsphere/php' '--with-apxs=/hsphere/shared/apache/bin/apxs' '--with-openssl=/usr' '--with-zlib=/usr' '--with-zlib-dir=/usr' '--with-bz2=/usr' '--enable-calendar' '--with-jpeg-dir=/hsphere/shared' '--enable-ftp' '--with-gd' '--with-ttf' '--with-freetype-dir=/hsphere/shared' '--enable-gd-native-ttf' '--with-png-dir=/hsphere/shared' '--with-gettext=/hsphere/shared' '--with-imap=/hsphere/shared' '--with-mysql=//usr' '--with-pgsql=//usr' '--with-curl=/hsphere/shared' '--with-curlwrappers' '--with-mhash=/hsphere/shared' '--with-mcrypt=/hsphere/shared' '--with-iconv=/hsphere/shared' '--enable-sockets' '--with-zip=/hsphere/shared' '--enable-versioning' '--enable-track-vars' '--enable-trans-sid' '--enable-bcmath' '--enable-mbstring' '--disable-debug' '--enable-pspell' '--enable-memory-limit' '--disable-files' Changes to php.ini made: open_basedir = /home/hsphere/shared/apache/htdocs/:/usr/local/lib/php/:/tmp/ disable_functions = "pack,system" Please fix this Reproduce code: --------------- <?php $ch = curl_init("file:/etc/snmp/snmpd.conf"); $file=curl_exec($ch); echo $file ?> Expected result: ---------------- It should say that open_basedir restrictions are in affect and that it couldn't retrieve file. Actual result: -------------- When the above code is run, it actually retrieves my /etc/snmpd.conf and displays it's content in my browser. BIG SECURITY concern! ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=36223&edit=1