php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #30609 cURL functions bypass open_basedir
Submitted: 2004-10-29 10:21 UTC Modified: 2005-03-14 10:03 UTC
Votes:2
Avg. Score:4.5 ± 0.5
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:1 (50.0%)
From: guillaume dot maes at celeonet dot fr Assigned: sniper (profile)
Status: Closed Package: cURL related
PHP Version: 4CVS, 5CVS (2005-03-13) OS: *
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: guillaume dot maes at celeonet dot fr
New email:
PHP Version: OS:

 

 [2004-10-29 10:21 UTC] guillaume dot maes at celeonet dot fr 
Description:
------------
PHP cURL functions bypass open_basedir
protection, so users can navigate through
filesystem.

For example, setting "open_basedir" in php.ini to
"/var/www/html" anybody can retrieve "/etc/parla"
using cURL functions

This vulnerability has been discovered wednesday :http://www.securitytrap.com/mail/bugtraq/2004/Oct/0287.html





Reproduce code:
---------------
<?php
$ch = curl_init("file:///etc/parla");
$file=curl_exec($ch);
echo $file
?> 

Expected result:
----------------
The execution of the file /etc/parla is not allowed because the value of openbase_dir restriction is /var/www/html.

Actual result:
--------------
The file /etc/parla is executed. 

If /etc/parla contents :

<body><html> Test of vulnerability </html></body>

The execution of this code with cURL functions showns the message.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-10-29 10:43 UTC] tony2001@php.net 
Sorry, this one should be open =)
I do think it should be fixed and no, this is not a cURL problem.
 [2004-11-01 05:14 UTC] say at no dot to dot spam 
any solution to this? other then disabling curl
 [2004-11-01 07:56 UTC] derick@php.net 
Yes, you need to configure/install curl not to allow access to the local filesystem. It has a nice configure option for that when you are installing it.
 [2005-03-01 16:41 UTC] sniper@php.net 
http://www.php.net/~jani/patches/bug30609.patch
 [2005-03-14 10:03 UTC] sniper@php.net 
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 11:01:29 2024 UTC