ID: 36223
Updated by: [EMAIL PROTECTED]
Reported By: stevewest15 at yahoo dot com
Status: Closed
Bug Type: Safe Mode/open_basedir
Operating System: Redhat Enterprise 3.6
PHP Version: 4.4.2
New Comment:
I cannot confirm the fix in CVS, the following still works:
<?php
$ch = curl_init("file:///etc/passwd");
$file=curl_exec($ch);
echo $file
?>
shows the content of /etc/passwd
using php4-STABLE-200602131136 and safe_mode=ON
Previous Comments:
------------------------------------------------------------------------
[2006-02-01 09:25:23] [EMAIL PROTECTED]
Feel free to try snapshots, that's why they are packaged.
You don't have to *INSTALL* a snapshot to test it.
------------------------------------------------------------------------
[2006-02-01 09:06:45] stevewest15 at yahoo dot com
> This bug has been fixed in CVS.
But that is what was claimed with this release of 4.4.2. This is why we
upgraded to 4.4.2. I'm not sure about using a CVS version on production
servers but I hope a final version with this fix will be coming out
soon.
thx,
SW
------------------------------------------------------------------------
[2006-01-31 11:57:54] [EMAIL PROTECTED]
This bug has been fixed in CVS.
Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
Thank you for the report, and for helping us make PHP better.
------------------------------------------------------------------------
[2006-01-31 11:18:59] stevewest15 at yahoo dot com
Description:
------------
PHP 4.4.2 still has the bug which allows CURL to bypass open_basedir
restrictions. Your release notes for 4.4.2 state that it has been
fixed...but it hasn't! :-(
Here is the configure line for PHP:
'./configure' '--localstatedir=/var/hsphere/php'
'--with-apxs=/hsphere/shared/apache/bin/apxs' '--with-openssl=/usr'
'--with-zlib=/usr' '--with-zlib-dir=/usr' '--with-bz2=/usr'
'--enable-calendar' '--with-jpeg-dir=/hsphere/shared' '--enable-ftp'
'--with-gd' '--with-ttf' '--with-freetype-dir=/hsphere/shared'
'--enable-gd-native-ttf' '--with-png-dir=/hsphere/shared'
'--with-gettext=/hsphere/shared' '--with-imap=/hsphere/shared'
'--with-mysql=//usr' '--with-pgsql=//usr' '--with-curl=/hsphere/shared'
'--with-curlwrappers' '--with-mhash=/hsphere/shared'
'--with-mcrypt=/hsphere/shared' '--with-iconv=/hsphere/shared'
'--enable-sockets' '--with-zip=/hsphere/shared' '--enable-versioning'
'--enable-track-vars' '--enable-trans-sid' '--enable-bcmath'
'--enable-mbstring' '--disable-debug' '--enable-pspell'
'--enable-memory-limit' '--disable-files'
Changes to php.ini made:
open_basedir =
/home/hsphere/shared/apache/htdocs/:/usr/local/lib/php/:/tmp/
disable_functions = "pack,system"
Please fix this
Reproduce code:
---------------
<?php
$ch = curl_init("file:/etc/snmp/snmpd.conf");
$file=curl_exec($ch);
echo $file
?>
Expected result:
----------------
It should say that open_basedir restrictions are in affect and that it
couldn't retrieve file.
Actual result:
--------------
When the above code is run, it actually retrieves my /etc/snmpd.conf
and displays it's content in my browser. BIG SECURITY concern!
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=36223&edit=1
