Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Generic)  >   PHP Vendors:   PHP Group
PHP libcurl Bug in Processing 'file://' URLs Containing NULL Characters Lets Users Bypass Safe Mode Restrictions
SecurityTracker Alert ID:  1016175
SecurityTracker URL:
CVE Reference:   CVE-2006-2563   (Links to External Site)
Date:  May 30 2006
Impact:   Execution of arbitrary code via local system, Execution of arbitrary code via network, User access via local system, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 4.4.2 and 5.1.4
Description:   A vulnerability was reported in PHP libcurl. A user may be able to bypass safe mode restrictions.

A user that can create PHP on the target system or affect data passed to a PHP script may be able to pass a specially crafted URL to bypass PHP safe_mode security checks and include files from the script's directory.

The flaw can be triggered by 'file://' URLs that contain NULL characters.

The vulnerability resides in 'ext/curl/interface.c'.

Maksymilian Arciemowicz of reported this vulnerability.

The original advisory is available at:

Impact:   A user may be able to cause the affected script to include unintended files.
Solution:   The vendor has issued a fix, available via CVS.
Vendor URL: (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.

 Source Message Contents

Subject:  cURL Safe Mode Bypass PHP 4.4.2 and 5.1.4

Hash: SHA1

[cURL Safe Mode Bypass PHP 4.4.2 and 5.1.4]

Author: Maksymilian Arciemowicz (cXIb8O3)
- -Written: 15.5.2006
- -Public: 27.5.2006

- --- 0.Description ---
PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific
 features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly.

A nice introduction to PHP by Stig Sather Bakken can be found at on the Zend website. Also,
 much of the PHP Conference Material is freely available. 

The PHP safe mode is an attempt to solve the shared-server security problem. It is architecturally incorrect to try to solve this
 problem at the PHP level, but since the alternatives at the web server and OS levels aren't very realistic, many people, especially
 ISP's, use safe mode for now.

PHP supports libcurl, a library created by Daniel Stenberg, that allows you to connect and communicate to many different types of
 servers with many different types of protocols. libcurl currently supports the http, https, ftp, gopher, telnet, dict, file, and
 ldap protocols. libcurl also supports HTTPS certificates, HTTP POST, HTTP PUT, FTP uploading (this can also be done with PHP's ftp
 extension), HTTP form based upload, proxies, cookies, and user+password authentication.
These functions have been added in PHP 4.0.2. 

- --- 1. Safe Mode Bypass in cURL---
General problem exists in cURL functions, because are changed safe_mode, strings 0 (\x00) are change to "_". Next bug exists in prefix
 file://, becaluse safe_mode checks only path at file:///. 

- -Safe_Mode bypass exploit.1---
$ch = curl_init("file://filethatyoudonthaveaccessto.php\x00".__FILE__);
- -Safe_Mode bypass exploit.1---

Safe_mode checks only access only to __FILE__. But cURL include filethatyoudonthaveaccessto.php. So you can include any files from
 directory where script is.
But in this exploit, you can only read files from directory where is this script. You can't use "/".

There is another conception for an exploit: if you have an access to a directory (rights) where you want to read files. So, if you
 want to include files from "/home/czarnobyl/www/directoryWITHyourRIGHT/fileFROManotherUSER.php",
you should make a dir like

- -Safe_Mode bypass exploit.2---
$ch = curl_init("file:///home/czarnobyl/www/directoryWITHyourRIGHT/fileFROManotherUSER.php\x00/../../../../../../../../../../../../".__FILE__);
- -Safe_Mode bypass exploit.2---

Safe mode checks access to file

And cURL include only 

because \x00 are ending path to file.

- --- 2. How to fix ---

- --- 3. Greets ---

For: sp3x
p_e_a, l5x, Infospec, pi3, eax

- --- 4. Contact ---
Author: SecurityReason.Com [ Maksymilian Arciemowicz ( cXIb8O3 ) ]
Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com
Version: GnuPG v1.4.3 (FreeBSD)



Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, LLC