php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #36223 curl bypasses open_basedir restrictions
Submitted: 2006-01-31 11:18 UTC Modified: 2006-02-13 13:21 UTC
From: stevewest15 at yahoo dot com Assigned:
Status: Closed Package: Safe Mode/open_basedir
PHP Version: 4.4.2 OS: Redhat Enterprise 3.6
Private report: No CVE-ID:
 [2006-01-31 11:18 UTC] stevewest15 at yahoo dot com
Description:
------------
PHP 4.4.2 still has the bug which allows CURL to bypass open_basedir restrictions. Your release notes for 4.4.2 state that it has been fixed...but it hasn't! :-(

Here is the configure line for PHP:

'./configure' '--localstatedir=/var/hsphere/php' '--with-apxs=/hsphere/shared/apache/bin/apxs' '--with-openssl=/usr' '--with-zlib=/usr' '--with-zlib-dir=/usr' '--with-bz2=/usr' '--enable-calendar' '--with-jpeg-dir=/hsphere/shared' '--enable-ftp' '--with-gd' '--with-ttf' '--with-freetype-dir=/hsphere/shared' '--enable-gd-native-ttf' '--with-png-dir=/hsphere/shared' '--with-gettext=/hsphere/shared' '--with-imap=/hsphere/shared' '--with-mysql=//usr' '--with-pgsql=//usr' '--with-curl=/hsphere/shared' '--with-curlwrappers' '--with-mhash=/hsphere/shared' '--with-mcrypt=/hsphere/shared' '--with-iconv=/hsphere/shared' '--enable-sockets' '--with-zip=/hsphere/shared' '--enable-versioning' '--enable-track-vars' '--enable-trans-sid' '--enable-bcmath' '--enable-mbstring' '--disable-debug' '--enable-pspell' '--enable-memory-limit' '--disable-files'


Changes to php.ini made:

open_basedir = /home/hsphere/shared/apache/htdocs/:/usr/local/lib/php/:/tmp/

disable_functions = "pack,system"


Please fix this 

Reproduce code:
---------------
<?php
$ch = curl_init("file:/etc/snmp/snmpd.conf");
$file=curl_exec($ch);
echo $file
?>

Expected result:
----------------
It should say that open_basedir restrictions are in affect and that it couldn't retrieve file.

Actual result:
--------------
When the above code is run, it actually retrieves my /etc/snmpd.conf and displays it's content in my browser. BIG SECURITY concern!

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-01-31 11:57 UTC] tony2001@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 [2006-02-01 09:06 UTC] stevewest15 at yahoo dot com
> This bug has been fixed in CVS.

But that is what was claimed with this release of 4.4.2. This is why we upgraded to 4.4.2. I'm not sure about using a CVS version on production servers but I hope a final version with this fix will be coming out soon.

thx,

SW
 [2006-02-01 09:25 UTC] tony2001@php.net
Feel free to try snapshots, that's why they are packaged.
You don't have to *INSTALL* a snapshot to test it.
 [2006-02-13 13:21 UTC] tomsommer@php.net
I cannot confirm the fix in CVS, the following still works:

<?php
$ch = curl_init("file:///etc/passwd");
$file=curl_exec($ch);
echo $file
?>

shows the content of /etc/passwd

using php4-STABLE-200602131136 and safe_mode=ON
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Fri Apr 18 03:02:48 2014 UTC