php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #36223 curl bypasses open_basedir restrictions
Submitted: 2006-01-31 11:18 UTC Modified: 2006-02-13 13:21 UTC
From: stevewest15 at yahoo dot com Assigned:
Status: Closed Package: Safe Mode/open_basedir
PHP Version: 4.4.2 OS: Redhat Enterprise 3.6
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: stevewest15 at yahoo dot com
New email:
PHP Version: OS:

 

 [2006-01-31 11:18 UTC] stevewest15 at yahoo dot com
Description:
------------
PHP 4.4.2 still has the bug which allows CURL to bypass open_basedir restrictions. Your release notes for 4.4.2 state that it has been fixed...but it hasn't! :-(

Here is the configure line for PHP:

'./configure' '--localstatedir=/var/hsphere/php' '--with-apxs=/hsphere/shared/apache/bin/apxs' '--with-openssl=/usr' '--with-zlib=/usr' '--with-zlib-dir=/usr' '--with-bz2=/usr' '--enable-calendar' '--with-jpeg-dir=/hsphere/shared' '--enable-ftp' '--with-gd' '--with-ttf' '--with-freetype-dir=/hsphere/shared' '--enable-gd-native-ttf' '--with-png-dir=/hsphere/shared' '--with-gettext=/hsphere/shared' '--with-imap=/hsphere/shared' '--with-mysql=//usr' '--with-pgsql=//usr' '--with-curl=/hsphere/shared' '--with-curlwrappers' '--with-mhash=/hsphere/shared' '--with-mcrypt=/hsphere/shared' '--with-iconv=/hsphere/shared' '--enable-sockets' '--with-zip=/hsphere/shared' '--enable-versioning' '--enable-track-vars' '--enable-trans-sid' '--enable-bcmath' '--enable-mbstring' '--disable-debug' '--enable-pspell' '--enable-memory-limit' '--disable-files'


Changes to php.ini made:

open_basedir = /home/hsphere/shared/apache/htdocs/:/usr/local/lib/php/:/tmp/

disable_functions = "pack,system"


Please fix this 

Reproduce code:
---------------
<?php
$ch = curl_init("file:/etc/snmp/snmpd.conf");
$file=curl_exec($ch);
echo $file
?>

Expected result:
----------------
It should say that open_basedir restrictions are in affect and that it couldn't retrieve file.

Actual result:
--------------
When the above code is run, it actually retrieves my /etc/snmpd.conf and displays it's content in my browser. BIG SECURITY concern!

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-01-31 11:57 UTC] tony2001@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 [2006-02-01 09:06 UTC] stevewest15 at yahoo dot com
> This bug has been fixed in CVS.

But that is what was claimed with this release of 4.4.2. This is why we upgraded to 4.4.2. I'm not sure about using a CVS version on production servers but I hope a final version with this fix will be coming out soon.

thx,

SW
 [2006-02-01 09:25 UTC] tony2001@php.net
Feel free to try snapshots, that's why they are packaged.
You don't have to *INSTALL* a snapshot to test it.
 [2006-02-13 13:21 UTC] tomsommer@php.net
I cannot confirm the fix in CVS, the following still works:

<?php
$ch = curl_init("file:///etc/passwd");
$file=curl_exec($ch);
echo $file
?>

shows the content of /etc/passwd

using php4-STABLE-200602131136 and safe_mode=ON
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Wed Dec 11 22:01:27 2024 UTC