#36223 [Csd]: curl bypasses open_basedir restrictions
ID: 36223 Updated by: [EMAIL PROTECTED] Reported By: stevewest15 at yahoo dot com Status: Closed Bug Type: Safe Mode/open_basedir Operating System: Redhat Enterprise 3.6 PHP Version: 4.4.2 New Comment: I cannot confirm the fix in CVS, the following still works: ?php $ch = curl_init(file:///etc/passwd); $file=curl_exec($ch); echo $file ? shows the content of /etc/passwd using php4-STABLE-200602131136 and safe_mode=ON Previous Comments: [2006-02-01 09:25:23] [EMAIL PROTECTED] Feel free to try snapshots, that's why they are packaged. You don't have to *INSTALL* a snapshot to test it. [2006-02-01 09:06:45] stevewest15 at yahoo dot com This bug has been fixed in CVS. But that is what was claimed with this release of 4.4.2. This is why we upgraded to 4.4.2. I'm not sure about using a CVS version on production servers but I hope a final version with this fix will be coming out soon. thx, SW [2006-01-31 11:57:54] [EMAIL PROTECTED] This bug has been fixed in CVS. Snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. Thank you for the report, and for helping us make PHP better. [2006-01-31 11:18:59] stevewest15 at yahoo dot com Description: PHP 4.4.2 still has the bug which allows CURL to bypass open_basedir restrictions. Your release notes for 4.4.2 state that it has been fixed...but it hasn't! :-( Here is the configure line for PHP: './configure' '--localstatedir=/var/hsphere/php' '--with-apxs=/hsphere/shared/apache/bin/apxs' '--with-openssl=/usr' '--with-zlib=/usr' '--with-zlib-dir=/usr' '--with-bz2=/usr' '--enable-calendar' '--with-jpeg-dir=/hsphere/shared' '--enable-ftp' '--with-gd' '--with-ttf' '--with-freetype-dir=/hsphere/shared' '--enable-gd-native-ttf' '--with-png-dir=/hsphere/shared' '--with-gettext=/hsphere/shared' '--with-imap=/hsphere/shared' '--with-mysql=//usr' '--with-pgsql=//usr' '--with-curl=/hsphere/shared' '--with-curlwrappers' '--with-mhash=/hsphere/shared' '--with-mcrypt=/hsphere/shared' '--with-iconv=/hsphere/shared' '--enable-sockets' '--with-zip=/hsphere/shared' '--enable-versioning' '--enable-track-vars' '--enable-trans-sid' '--enable-bcmath' '--enable-mbstring' '--disable-debug' '--enable-pspell' '--enable-memory-limit' '--disable-files' Changes to php.ini made: open_basedir = /home/hsphere/shared/apache/htdocs/:/usr/local/lib/php/:/tmp/ disable_functions = pack,system Please fix this Reproduce code: --- ?php $ch = curl_init(file:/etc/snmp/snmpd.conf); $file=curl_exec($ch); echo $file ? Expected result: It should say that open_basedir restrictions are in affect and that it couldn't retrieve file. Actual result: -- When the above code is run, it actually retrieves my /etc/snmpd.conf and displays it's content in my browser. BIG SECURITY concern! -- Edit this bug report at http://bugs.php.net/?id=36223edit=1
#36223 [Csd]: curl bypasses open_basedir restrictions
ID: 36223 User updated by: stevewest15 at yahoo dot com Reported By: stevewest15 at yahoo dot com Status: Closed Bug Type: Safe Mode/open_basedir Operating System: Redhat Enterprise 3.6 PHP Version: 4.4.2 New Comment: This bug has been fixed in CVS. But that is what was claimed with this release of 4.4.2. This is why we upgraded to 4.4.2. I'm not sure about using a CVS version on production servers but I hope a final version with this fix will be coming out soon. thx, SW Previous Comments: [2006-01-31 11:57:54] [EMAIL PROTECTED] This bug has been fixed in CVS. Snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. Thank you for the report, and for helping us make PHP better. [2006-01-31 11:18:59] stevewest15 at yahoo dot com Description: PHP 4.4.2 still has the bug which allows CURL to bypass open_basedir restrictions. Your release notes for 4.4.2 state that it has been fixed...but it hasn't! :-( Here is the configure line for PHP: './configure' '--localstatedir=/var/hsphere/php' '--with-apxs=/hsphere/shared/apache/bin/apxs' '--with-openssl=/usr' '--with-zlib=/usr' '--with-zlib-dir=/usr' '--with-bz2=/usr' '--enable-calendar' '--with-jpeg-dir=/hsphere/shared' '--enable-ftp' '--with-gd' '--with-ttf' '--with-freetype-dir=/hsphere/shared' '--enable-gd-native-ttf' '--with-png-dir=/hsphere/shared' '--with-gettext=/hsphere/shared' '--with-imap=/hsphere/shared' '--with-mysql=//usr' '--with-pgsql=//usr' '--with-curl=/hsphere/shared' '--with-curlwrappers' '--with-mhash=/hsphere/shared' '--with-mcrypt=/hsphere/shared' '--with-iconv=/hsphere/shared' '--enable-sockets' '--with-zip=/hsphere/shared' '--enable-versioning' '--enable-track-vars' '--enable-trans-sid' '--enable-bcmath' '--enable-mbstring' '--disable-debug' '--enable-pspell' '--enable-memory-limit' '--disable-files' Changes to php.ini made: open_basedir = /home/hsphere/shared/apache/htdocs/:/usr/local/lib/php/:/tmp/ disable_functions = pack,system Please fix this Reproduce code: --- ?php $ch = curl_init(file:/etc/snmp/snmpd.conf); $file=curl_exec($ch); echo $file ? Expected result: It should say that open_basedir restrictions are in affect and that it couldn't retrieve file. Actual result: -- When the above code is run, it actually retrieves my /etc/snmpd.conf and displays it's content in my browser. BIG SECURITY concern! -- Edit this bug report at http://bugs.php.net/?id=36223edit=1
#36223 [Csd]: curl bypasses open_basedir restrictions
ID: 36223 Updated by: [EMAIL PROTECTED] Reported By: stevewest15 at yahoo dot com Status: Closed Bug Type: Safe Mode/open_basedir Operating System: Redhat Enterprise 3.6 PHP Version: 4.4.2 New Comment: Feel free to try snapshots, that's why they are packaged. You don't have to *INSTALL* a snapshot to test it. Previous Comments: [2006-02-01 09:06:45] stevewest15 at yahoo dot com This bug has been fixed in CVS. But that is what was claimed with this release of 4.4.2. This is why we upgraded to 4.4.2. I'm not sure about using a CVS version on production servers but I hope a final version with this fix will be coming out soon. thx, SW [2006-01-31 11:57:54] [EMAIL PROTECTED] This bug has been fixed in CVS. Snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. Thank you for the report, and for helping us make PHP better. [2006-01-31 11:18:59] stevewest15 at yahoo dot com Description: PHP 4.4.2 still has the bug which allows CURL to bypass open_basedir restrictions. Your release notes for 4.4.2 state that it has been fixed...but it hasn't! :-( Here is the configure line for PHP: './configure' '--localstatedir=/var/hsphere/php' '--with-apxs=/hsphere/shared/apache/bin/apxs' '--with-openssl=/usr' '--with-zlib=/usr' '--with-zlib-dir=/usr' '--with-bz2=/usr' '--enable-calendar' '--with-jpeg-dir=/hsphere/shared' '--enable-ftp' '--with-gd' '--with-ttf' '--with-freetype-dir=/hsphere/shared' '--enable-gd-native-ttf' '--with-png-dir=/hsphere/shared' '--with-gettext=/hsphere/shared' '--with-imap=/hsphere/shared' '--with-mysql=//usr' '--with-pgsql=//usr' '--with-curl=/hsphere/shared' '--with-curlwrappers' '--with-mhash=/hsphere/shared' '--with-mcrypt=/hsphere/shared' '--with-iconv=/hsphere/shared' '--enable-sockets' '--with-zip=/hsphere/shared' '--enable-versioning' '--enable-track-vars' '--enable-trans-sid' '--enable-bcmath' '--enable-mbstring' '--disable-debug' '--enable-pspell' '--enable-memory-limit' '--disable-files' Changes to php.ini made: open_basedir = /home/hsphere/shared/apache/htdocs/:/usr/local/lib/php/:/tmp/ disable_functions = pack,system Please fix this Reproduce code: --- ?php $ch = curl_init(file:/etc/snmp/snmpd.conf); $file=curl_exec($ch); echo $file ? Expected result: It should say that open_basedir restrictions are in affect and that it couldn't retrieve file. Actual result: -- When the above code is run, it actually retrieves my /etc/snmpd.conf and displays it's content in my browser. BIG SECURITY concern! -- Edit this bug report at http://bugs.php.net/?id=36223edit=1