curl allows curcumvention of open_basedir (CAN-2004-1392)

Bug #12631 reported by Debian Bug Importer
4
Affects Status Importance Assigned to Milestone
php4 (Debian)
Fix Released
Unknown
php4 (Ubuntu)
Fix Released
High
Martin Pitt

Bug Description

Automatically imported from Debian bug report #294065 http://bugs.debian.org/294065

CVE References

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Automatically imported from Debian bug report #294065 http://bugs.debian.org/294065

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Mon, 7 Feb 2005 13:05:36 -0500
From: Joey Hess <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: curl allows curcumvention of open_basedir (CAN-2004-1392)

--VrqPEDrXMn8OVzN4
Content-Type: multipart/mixed; boundary="AqsLC8rIMeq19msA"
Content-Disposition: inline

--AqsLC8rIMeq19msA
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: php4
Version: 4:4.3.10-2
Severity: serious
Tags: security patch

According to CAN-2004-1392:

  PHP 4.0 with cURL functions allows remote attackers to bypass the
  open_basedir setting and read arbitrary files via a file: URL argument
  to the curl_init function.

Details here:

  http://marc.theaimsgroup.com/?l=3Dbugtraq&m=3D109898213806099&w=3D2

The attached patch was extracted from ubuntu's php4 4.3.8-3ubuntu7.3.
Our newer version of php4 also seems to be vulnerable, based on code
inspection.

--=20
see shy jo

--AqsLC8rIMeq19msA
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="php4-curl-openbasedir.patch"
Content-Transfer-Encoding: quoted-printable

--- php4-4.3.8.orig/debian/patches/curl_check_open_basedir.patch
+++ php4-4.3.8/debian/patches/curl_check_open_basedir.patch
@@ -0,0 +1,18 @@
+diff -ru php4-4.3.10.old/ext/curl/curl.c php4-4.3.10/ext/curl/curl.c
+--- php4-4.3.10.old/ext/curl/curl.c 2005-01-20 14:20:15.000000000 +0000
++++ php4-4.3.10/ext/curl/curl.c 2005-01-20 15:34:06.000000000 +0000
+@@ -682,6 +682,14 @@
+ WRONG_PARAM_COUNT;
+ }
+=20
++ /* check open_basedir restriction */
++ {
++ char *u =3D Z_STRVAL_PP(url);
++
++ if(!u || (!strncmp(u, "file://",7) && php_check_open_basedir((u+7) TSRM=
LS_CC)))=20
++ RETURN_FALSE;
++ }
++
+ alloc_curl_handle(&ch);
+=20
+ ch->cp =3D curl_easy_init();

--AqsLC8rIMeq19msA--

--VrqPEDrXMn8OVzN4
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFCB63vd8HHehbQuO8RApr9AJkBxWWdpZGfb0SdvfGbI3kC0ZyB6gCbB1iR
gsSrJfALH+BRy3T8S0VbtxY=
=2eba
-----END PGP SIGNATURE-----

--VrqPEDrXMn8OVzN4--

Revision history for this message
In , Adam Conrad (adconrad) wrote : Fixed

This was fixed an hour or so before it was reported. How's that for
response times?

... Adam

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Tue, 8 Feb 2005 07:58:40 +1000 (EST)
From: "Adam Conrad" <adconrad@0c3.net>
To: <email address hidden>
Subject: Fixed

This was fixed an hour or so before it was reported. How's that for
response times?

... Adam

Revision history for this message
In , Adam Conrad (adconrad) wrote : Hasty closing email

reopen 294065
tags 294065 +sarge
tags 294065 +woody
thanks

I guess I should have tagged this instead of closing it. I need sleep. :)

... Adam

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Tue, 8 Feb 2005 14:48:15 +1000 (EST)
From: "Adam Conrad" <adconrad@0c3.net>
To: <email address hidden>
Cc: <email address hidden>
Subject: Hasty closing email

reopen 294065
tags 294065 +sarge
tags 294065 +woody
thanks

I guess I should have tagged this instead of closing it. I need sleep. :)

... Adam

Revision history for this message
Martin Pitt (pitti) wrote :

(In reply to comment #1)
> According to CAN-2004-1392:
>
> PHP 4.0 with cURL functions allows remote attackers to bypass the
> open_basedir setting and read arbitrary files via a file: URL argument
> to the curl_init function.
> [...]
> The attached patch was extracted from ubuntu's php4 4.3.8-3ubuntu7.3.
> Our newer version of php4 also seems to be vulnerable, based on code
> inspection.

Right, I wrote that patch and already fixed it in Warty/Hoary.

Revision history for this message
In , Steve Langasek (vorlon) wrote : tagging 294065

# Automatically generated email from bts, devscripts version 2.8.10
tags 294065 - sarge

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-Id: <email address hidden>
Date: Tue, 1 Mar 2005 17:24:54 -0800
From: Steve Langasek <email address hidden>
To: <email address hidden>
Subject: tagging 294065

# Automatically generated email from bts, devscripts version 2.8.10
tags 294065 - sarge

Revision history for this message
In , Adam Conrad (adconrad) wrote : Closing this bug...

As indicated in #285845, our security team and vendor-sec consider
safe_mode to be "fundamentally broken", and as such, we do not issue
security advisories for fixed which only affect safe_mode behaviour.

open_basedir would fall into the same category, for the same reasons,
namely that it requires too much knowlege of how the libraries you link to
are going to mess with your ability to lock them down.

... Adam

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Fri, 1 Apr 2005 16:17:27 +1000 (EST)
From: "Adam Conrad" <adconrad@0c3.net>
To: <email address hidden>
Subject: Closing this bug...

As indicated in #285845, our security team and vendor-sec consider
safe_mode to be "fundamentally broken", and as such, we do not issue
security advisories for fixed which only affect safe_mode behaviour.

open_basedir would fall into the same category, for the same reasons,
namely that it requires too much knowlege of how the libraries you link to
are going to mess with your ability to lock them down.

... Adam

Changed in php4:
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.