php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #30609 cURL functions bypass open_basedir
Submitted: 2004-10-29 10:21 UTC Modified: 2005-03-14 10:03 UTC
Votes:2
Avg. Score:4.5 ± 0.5
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:1 (50.0%)
From: guillaume dot maes at celeonet dot fr Assigned: sniper (profile)
Status: Closed Package: cURL related
PHP Version: 4CVS, 5CVS (2005-03-13) OS: *
Private report: No CVE-ID: None
View Developer Edit
 [2004-10-29 10:21 UTC] guillaume dot maes at celeonet dot fr 
Description:
------------
PHP cURL functions bypass open_basedir
protection, so users can navigate through
filesystem.

For example, setting "open_basedir" in php.ini to
"/var/www/html" anybody can retrieve "/etc/parla"
using cURL functions

This vulnerability has been discovered wednesday :http://www.securitytrap.com/mail/bugtraq/2004/Oct/0287.html





Reproduce code:
---------------
<?php
$ch = curl_init("file:///etc/parla");
$file=curl_exec($ch);
echo $file
?> 

Expected result:
----------------
The execution of the file /etc/parla is not allowed because the value of openbase_dir restriction is /var/www/html.

Actual result:
--------------
The file /etc/parla is executed. 

If /etc/parla contents :

<body><html> Test of vulnerability </html></body>

The execution of this code with cURL functions showns the message.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-10-29 10:43 UTC] tony2001@php.net 
Sorry, this one should be open =)
I do think it should be fixed and no, this is not a cURL problem.
 [2004-11-01 05:14 UTC] say at no dot to dot spam 
any solution to this? other then disabling curl
 [2004-11-01 07:56 UTC] derick@php.net 
Yes, you need to configure/install curl not to allow access to the local filesystem. It has a nice configure option for that when you are installing it.
 [2005-03-01 16:41 UTC] sniper@php.net 
http://www.php.net/~jani/patches/bug30609.patch
 [2005-03-14 10:03 UTC] sniper@php.net 
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 09:01:32 2024 UTC