lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed Oct 19 01:39:53 2005
From: sesser at (Stefan Esser)
Subject: PHP Safedir Restriction Bypass Vulnerabilities


> In reguads to the the curl, I have just checked all the php curl code
> this was fixed in 4.3.10 from what i can see, because i wrote a patch
> to stop the openbase dir in curl until php fixed it, i submited it
> along time ago but the php dev's were all "blah blah blah 3rd party
> software blah blah not our problem"

Just because you close one (more) file:// hole with a patch, you do not
solve the 3rd party library problem. As long you have CURL compiled with
file:// support you can bypass safe_mode/open basedir in PHP. There are
enough hidden features in libcurl that allow to feed it with file://
URLs without PHP ever knowing about it.

Just face it safe_mode is not safe, was never and will never be. It is
simply impossible for an application to put access control restrictions
over (hidden) features of 3rd party libraries, that are not exported.
And with PHP6 safe_mode, register_globals and all the crap will most
probably disappear.


 Stefan Esser                                     
 Hardened-PHP Project               

 GPG-Key                gpg --keyserver --recv-key 0x15ABDA78
 Key fingerprint       7806 58C8 CFA8 CE4A 1C2C  57DD 4AE1 795E 15AB DA78

Powered by blists - more mailing lists