Vigil@nce: PHP, reading a file via curl_setopt
April 2009 by Vigil@nce
An attacker can use the curl_setopt() function in order to read a
file bypassing the safe_mode and open_basedir restriction.
– Severity: 1/4
– Consequences: data reading
– Provenance: user account
– Means of attack: no proof of concept, no attack
– Ability of attacker: expert (4/4)
– Confidence: unique source (2/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 14/04/2009
IMPACTED PRODUCTS
– PHP
DESCRIPTION OF THE VULNERABILITY
The open_basedir restriction limits directories where a PHP script
can access.
The curl_setopt() function changes cURL options of cURL, which is
used to download a document. For example:
curl_setopt($ch, CURLOPT_URL, "http://site/page");
However, a script can use:
curl_setopt($ch, CURLOPT_URL, "file:file:////dir/afile");
In this case, the double usage of "file:" accesses to the
"/dir/afile" local file, event if "/dir/" is not indicated in
open_basedir.
An attacker allowed to upload a PHP script on the server can
therefore use the curl_setopt() function in order to read a file
bypassing the safe_mode and open_basedir restriction.
CHARACTERISTICS
– Identifiers: BID-34475, VIGILANCE-VUL-8626
– Url: http://vigilance.fr/vulnerability/PHP-reading-a-file-via-curl-setopt-8626
To change your email preferences (frequency, severity threshold, format):
https://vigilance.fr/?action=2041549901&langue=2