PHP cURL library (libcurl) curl_init() Safe Mode Bypass

2006-05-26T09:20:07
ID OSVDB:25813
Type osvdb
Reporter OSVDB
Modified 2006-05-26T09:20:07

Description

Vulnerability Description

PHP contains a flaw that may allow an attacker to bypass security restrictions. The issue is due to the cURL library (libcurl) not properly sanitizing user-supplied input to the curl_init() function. By passing a crafted file name to the function, an attacker can bypass safe mode restrictions and read arbitrary files via a file:// request and null characters.

Short Description

PHP contains a flaw that may allow an attacker to bypass security restrictions. The issue is due to the cURL library (libcurl) not properly sanitizing user-supplied input to the curl_init() function. By passing a crafted file name to the function, an attacker can bypass safe mode restrictions and read arbitrary files via a file:// request and null characters.

References:

Vendor URL: http://www.php.net/ Vendor Specific Advisory URL Secunia Advisory ID:20337 Secunia Advisory ID:21050 Secunia Advisory ID:22039 Secunia Advisory ID:21125 Other Advisory URL: http://securityreason.com/achievement_securityalert/39 Other Advisory URL: http://www.ubuntu.com/usn/usn-320-1 Other Advisory URL: http://lists.suse.com/archive/suse-security-announce/2006-Sep/0006.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-05/0604.html CVE-2006-2563