curl allows curcumvention of open_basedir (CAN-2004-1392)

Automatically imported from Debian bug report #294065 http://bugs.debian.org/294065

Message-ID: <email address hidden>
Date: Mon, 7 Feb 2005 13:05:36 -0500
From: Joey Hess <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: curl allows curcumvention of open_basedir (CAN-2004-1392)

--VrqPEDrXMn8OVzN4
Content-Type: multipart/mixed; boundary="AqsLC8rIMeq19msA"
Content-Disposition: inline

--AqsLC8rIMeq19msA
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: php4
Version: 4:4.3.10-2
Severity: serious
Tags: security patch

According to CAN-2004-1392:

  PHP 4.0 with cURL functions allows remote attackers to bypass the
  open_basedir setting and read arbitrary files via a file: URL argument
  to the curl_init function.

Details here:

  http://marc.theaimsgroup.com/?l=3Dbugtraq&m=3D109898213806099&w=3D2

The attached patch was extracted from ubuntu's php4 4.3.8-3ubuntu7.3.
Our newer version of php4 also seems to be vulnerable, based on code
inspection.

--=20
see shy jo

--AqsLC8rIMeq19msA
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="php4-curl-openbasedir.patch"
Content-Transfer-Encoding: quoted-printable

--- php4-4.3.8.orig/debian/patches/curl_check_open_basedir.patch
+++ php4-4.3.8/debian/patches/curl_check_open_basedir.patch
@@ -0,0 +1,18 @@
+diff -ru php4-4.3.10.old/ext/curl/curl.c php4-4.3.10/ext/curl/curl.c
+--- php4-4.3.10.old/ext/curl/curl.c 2005-01-20 14:20:15.000000000 +0000
++++ php4-4.3.10/ext/curl/curl.c 2005-01-20 15:34:06.000000000 +0000
+@@ -682,6 +682,14 @@
+ WRONG_PARAM_COUNT;
+ }
+=20
++ /* check open_basedir restriction */
++ {
++ char *u =3D Z_STRVAL_PP(url);
++
++ if(!u || (!strncmp(u, "file://",7) && php_check_open_basedir((u+7) TSRM=
LS_CC)))=20
++ RETURN_FALSE;
++ }
++
+ alloc_curl_handle(&ch);
+=20
+ ch->cp =3D curl_easy_init();

--AqsLC8rIMeq19msA--

--VrqPEDrXMn8OVzN4
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFCB63vd8HHehbQuO8RApr9AJkBxWWdpZGfb0SdvfGbI3kC0ZyB6gCbB1iR
gsSrJfALH+BRy3T8S0VbtxY=
=2eba
-----END PGP SIGNATURE-----

--VrqPEDrXMn8OVzN4--

Message-ID: <email address hidden>
Date: Tue, 8 Feb 2005 07:58:40 +1000 (EST)
From: "Adam Conrad" <adconrad@0c3.net>
To: <email address hidden>
Subject: Fixed

This was fixed an hour or so before it was reported. How's that for
response times?

... Adam

Message-ID: <email address hidden>
Date: Tue, 8 Feb 2005 14:48:15 +1000 (EST)
From: "Adam Conrad" <adconrad@0c3.net>
To: <email address hidden>
Cc: <email address hidden>
Subject: Hasty closing email

reopen 294065
tags 294065 +sarge
tags 294065 +woody
thanks

I guess I should have tagged this instead of closing it. I need sleep. :)

... Adam

(In reply to comment #1)
> According to CAN-2004-1392:
>
> PHP 4.0 with cURL functions allows remote attackers to bypass the
> open_basedir setting and read arbitrary files via a file: URL argument
> to the curl_init function.
> [...]
> The attached patch was extracted from ubuntu's php4 4.3.8-3ubuntu7.3.
> Our newer version of php4 also seems to be vulnerable, based on code
> inspection.

Right, I wrote that patch and already fixed it in Warty/Hoary.

Message-Id: <email address hidden>
Date: Tue, 1 Mar 2005 17:24:54 -0800
From: Steve Langasek <email address hidden>
To: <email address hidden>
Subject: tagging 294065

# Automatically generated email from bts, devscripts version 2.8.10
tags 294065 - sarge

Message-ID: <email address hidden>
Date: Fri, 1 Apr 2005 16:17:27 +1000 (EST)
From: "Adam Conrad" <adconrad@0c3.net>
To: <email address hidden>
Subject: Closing this bug...

As indicated in #285845, our security team and vendor-sec consider
safe_mode to be "fundamentally broken", and as such, we do not issue
security advisories for fixed which only affect safe_mode behaviour.

open_basedir would fall into the same category, for the same reasons,
namely that it requires too much knowlege of how the libraries you link to
are going to mess with your ability to lock them down.

... Adam