|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #30609 cURL functions bypass open_basedir
Submitted: 2004-10-29 10:21 UTC Modified: 2005-03-14 10:03 UTC
Avg. Score:4.5 ± 0.5
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:1 (50.0%)
From: guillaume dot maes at celeonet dot fr Assigned: sniper (profile)
Status: Closed Package: cURL related
PHP Version: 4CVS, 5CVS (2005-03-13) OS: *
Private report: No CVE-ID: None
 [2004-10-29 10:21 UTC] guillaume dot maes at celeonet dot fr
PHP cURL functions bypass open_basedir
protection, so users can navigate through

For example, setting "open_basedir" in php.ini to
"/var/www/html" anybody can retrieve "/etc/parla"
using cURL functions

This vulnerability has been discovered wednesday :

Reproduce code:
$ch = curl_init("file:///etc/parla");
echo $file

Expected result:
The execution of the file /etc/parla is not allowed because the value of openbase_dir restriction is /var/www/html.

Actual result:
The file /etc/parla is executed. 

If /etc/parla contents :

<body><html> Test of vulnerability </html></body>

The execution of this code with cURL functions showns the message.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2004-10-29 10:43 UTC]
Sorry, this one should be open =)
I do think it should be fixed and no, this is not a cURL problem.
 [2004-11-01 05:14 UTC] say at no dot to dot spam
any solution to this? other then disabling curl
 [2004-11-01 07:56 UTC]
Yes, you need to configure/install curl not to allow access to the local filesystem. It has a nice configure option for that when you are installing it.
 [2005-03-14 10:03 UTC]
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
Thank you for the report, and for helping us make PHP better.

PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Jun 15 01:01:31 2024 UTC