CVE-2004-1392
CVSS5.0
发布时间 :2004-12-31 00:00:00
修订时间 :2016-10-17 22:53:53
NMCOES    

[原文]PHP 4.0 with cURL functions allows remote attackers to bypass the open_basedir setting and read arbitrary files via a file: URL argument to the curl_init function.


[CNNVD]PHP cURL Open_Basedir限制绕过漏洞(CNNVD-200412-360)

        带有cURL函数的PHP 4.0版本存在漏洞。远程攻击者可以借助curl_init函数的URL参数字段绕过open_basedir设置并读取任意文件。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:php:php:4.0.1PHP PHP 4.0.1
cpe:/a:php:php:4.0.3PHP PHP 4.0.3
cpe:/a:php:php:4.0.2PHP PHP 4.0.2
cpe:/a:php:php:4.0.7:rc3
cpe:/a:php:php:4.0.1:patch1
cpe:/a:php:php:4.0.7:rc2
cpe:/a:php:php:4.0.3:patch1
cpe:/a:php:php:4.0.7:rc1
cpe:/a:php:php:4.0
cpe:/a:php:php:4.0.1:patch2
cpe:/a:php:php:4.0.5PHP PHP 4.0.5
cpe:/a:php:php:4.0.4PHP PHP 4.0.4
cpe:/a:php:php:4.0.7PHP PHP 4.0.7
cpe:/a:php:php:4.0.6PHP PHP 4.0.6

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:9279PHP 4.0 with cURL functions allows remote attackers to bypass the open_basedir setting and read arbitrary files via a file: URL argument to ...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1392
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1392
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200412-360
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=109898213806099&w=2
(UNKNOWN)  BUGTRAQ  20041027 PHP4 cURL functions bypass open_basedir
http://marc.info/?l=bugtraq&m=110625060220934&w=2
(UNKNOWN)  BUGTRAQ  20050120 [USN-66-1] PHP vulnerabilities
http://securitytracker.com/id?1011984
(UNKNOWN)  SECTRACK  1011984
http://www.redhat.com/support/errata/RHSA-2005-405.html
(UNKNOWN)  REDHAT  RHSA-2005:405
http://www.redhat.com/support/errata/RHSA-2005-406.html
(UNKNOWN)  REDHAT  RHSA-2005:406
http://www.securityfocus.com/bid/11557
(PATCH)  BID  11557
http://xforce.iss.net/xforce/xfdb/17900
(UNKNOWN)  XF  php-openbasedir-restriction-bypass(17900)
https://bugzilla.fedora.us/show_bug.cgi?id=2344
(PATCH)  FEDORA  FLSA:2344

- 漏洞信息

PHP cURL Open_Basedir限制绕过漏洞
中危 访问验证错误
2004-12-31 00:00:00 2005-10-20 00:00:00
远程  
        带有cURL函数的PHP 4.0版本存在漏洞。远程攻击者可以借助curl_init函数的URL参数字段绕过open_basedir设置并读取任意文件。

- 公告与补丁

        Avaya has released an advisory (ASA-2005-136) that acknowledges this vulnerability for Avaya products. Please see the referenced Avaya advisory for further details.
        Conectiva has released an advisory (CLSA-2005:955) and fixes to address this and other issues. Please see the referenced advisory for further information regarding obtaining and applying appropriate updates.
        Ubuntu Linux has released advisory USN-66-1 to address this, and other issues. Please see the referenced advisory for further information.
        Ubuntu has released advisory USN-66-2 to release new fixes for this issue. The fixes included in the previous Ubuntu advisory USN-66-1 still allow for some variants of this issue to occur. Please see the referenced advisory for more information.
        Fedora has released Fedora Legacy advisory FLSA:2344 to address various issues in Red Hat Linux 7.3, Red Hat Linux 9.0 and Fedora Core 1 for the i386 architecture. Please see the referenced advisory for more information.
        Red Hat released advisory RHSA-2005:405-06 as well as fixes to address this and other issues on Red Hat Linux Enterprise platforms. Customers who are affected by this issue are advised to apply the appropriate updates. Customers subscribed to the Red Hat Network may apply the appropriate fixes using the Red Hat Update Agent (up2date). Please see referenced advisories for additional information.
        SGI has released an advisory 20050501-01-U including updated SGI ProPack 3
        Service Pack 5 packages to address this BID and other issues. Please see
        the referenced advisory for more information.
        
        
        PHP PHP 4.1.2
        
        PHP PHP 4.2.2
        
        PHP PHP 4.3.3
        

- 漏洞信息 (24711)

PHP 4.x/5 cURL Open_Basedir Restriction Bypass Vulnerability (EDBID:24711)
php remote
2004-10-28 Verified
0 FraMe
N/A [点击下载]
source: http://www.securityfocus.com/bid/11557/info

It is reported that cURL allows malicious users to bypass 'open_basedir' restrictions in PHP scripts. This issue is due to a failure of the cURL module to properly enforce PHPs 'open_basedir' restriction.

Users with the ability to create or modify PHP scripts on a server computer hosting the vulnerable software can reportedly exploit this vulnerability to bypass the 'open_basedir' restriction, and access arbitrary files with the privileges of the web server. This may aid them in further attacks.

This vulnerability possibly results in a false sense of security, as administrators expect that the restrictions in place prevent malicious users from gaining access to sensitive information.

<?php
$ch = curl_init("file:///etc/parla");
$file=curl_exec($ch);
echo $file
?>		

- 漏洞信息

11196
PHP cURL open_basedir Arbitrary File Access
Local Access Required Information Disclosure
Loss of Confidentiality
Exploit Unknown

- 漏洞描述

PHP contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when CURL functions fail to comply with the open_basedir directive which is designed to restrict PHP scripts to open_basedir. This flaw may lead to a loss of confidentiality.

- 时间线

2004-10-27 Unknow
2004-10-27 Unknow

- 解决方案

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: Disable CURL support in PHP

- 相关参考

- 漏洞作者

- 漏洞信息

PHP cURL Open_Basedir Restriction Bypass Vulnerability
Access Validation Error 11557
Yes No
2004-10-28 12:00:00 2009-07-12 08:06:00
FraMe <frame@hispalab.com> disclosed this vulnerability.

- 受影响的程序版本

Ubuntu Ubuntu Linux 4.1 ppc
Ubuntu Ubuntu Linux 4.1 ia64
Ubuntu Ubuntu Linux 4.1 ia32
SGI ProPack 3.0
RedHat Linux 9.0 i386
RedHat Linux 7.3 i386
Red Hat Fedora Core1
PHP PHP 5.0.2
PHP PHP 5.0.1
PHP PHP 5.0 candidate 3
PHP PHP 5.0 candidate 2
PHP PHP 5.0 candidate 1
PHP PHP 5.0 .0
PHP PHP 4.3.8
+ Mandriva Linux Mandrake 10.1 x86_64
+ Mandriva Linux Mandrake 10.1
+ S.u.S.E. Linux Personal 9.2
+ Turbolinux Turbolinux Server 10.0
+ Ubuntu Ubuntu Linux 4.1 ppc
+ Ubuntu Ubuntu Linux 4.1 ia64
+ Ubuntu Ubuntu Linux 4.1 ia32
PHP PHP 4.3.7
PHP PHP 4.3.6
PHP PHP 4.3.5
PHP PHP 4.3.4
+ MandrakeSoft Corporate Server 3.0 x86_64
+ MandrakeSoft Corporate Server 3.0
+ Mandriva Linux Mandrake 10.0 AMD64
+ Mandriva Linux Mandrake 10.0
+ S.u.S.E. Linux Personal 9.1
PHP PHP 4.3.3
+ S.u.S.E. Linux Personal 9.0 x86_64
+ S.u.S.E. Linux Personal 9.0
+ Turbolinux Home
+ Turbolinux Turbolinux 10 F...
+ Turbolinux Turbolinux Desktop 10.0
PHP PHP 4.3.2
PHP PHP 4.3.1
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1
+ OpenPKG OpenPKG Current
+ S.u.S.E. Linux Personal 8.2
PHP PHP 4.3
PHP PHP 4.2.3
+ EnGarde Secure Linux 1.0.1
+ MandrakeSoft Corporate Server 2.1 x86_64
+ MandrakeSoft Corporate Server 2.1
+ Mandriva Linux Mandrake 9.0
+ Turbolinux Turbolinux Server 8.0
+ Turbolinux Turbolinux Server 7.0
+ Turbolinux Turbolinux Workstation 8.0
+ Turbolinux Turbolinux Workstation 7.0
PHP PHP 4.2.2
+ Gentoo Linux 1.4 _rc1
+ Gentoo Linux 1.2
+ OpenPKG OpenPKG 1.1
+ RedHat Linux 8.0 i386
+ RedHat Linux 8.0
+ S.u.S.E. Linux 8.1
PHP PHP 4.2.1
- FreeBSD FreeBSD 4.6
- FreeBSD FreeBSD 4.5
- FreeBSD FreeBSD 4.4
- FreeBSD FreeBSD 4.3
+ Slackware Linux 8.1
PHP PHP 4.2 .0
PHP PHP 4.2 -dev
PHP PHP 4.1.2
+ Apple Mac OS X 10.1.5
+ Apple Mac OS X 10.1.4
+ Apple Mac OS X 10.1.3
+ Apple Mac OS X 10.1.2
+ Apple Mac OS X 10.1.1
+ Apple Mac OS X 10.1
+ Apple Mac OS X 10.1
+ Apple Mac OS X 10.0.4
+ Apple Mac OS X 10.0.3
+ Apple Mac OS X 10.0.2
+ Apple Mac OS X 10.0.1
+ Apple Mac OS X 10.0
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ MandrakeSoft Multi Network Firewall 2.0
+ MandrakeSoft Single Network Firewall 7.2
+ Mandriva Linux Mandrake 8.2 ppc
+ Mandriva Linux Mandrake 8.2
PHP PHP 4.1.1
+ Conectiva Linux 7.0
PHP PHP 4.1 .0
+ S.u.S.E. Linux 8.0 i386
+ S.u.S.E. Linux 8.0
PHP PHP 4.0.7 RC3
PHP PHP 4.0.7 RC2
PHP PHP 4.0.7 RC1
PHP PHP 4.0.7
PHP PHP 4.0.6
+ Caldera OpenLinux Server 3.1.1
+ Caldera OpenLinux Server 3.1
+ Caldera OpenLinux Workstation 3.1.1
+ Caldera OpenLinux Workstation 3.1
+ HP Secure OS software for Linux 1.0
- IBM AIX 4.3.3
- IBM AIX 4.3.2
- IBM AIX 4.3.1
- IBM AIX 4.3
- IBM AIX 5.1
+ MandrakeSoft Corporate Server 1.0.1
+ Mandriva Linux Mandrake 8.1 ia64
+ Mandriva Linux Mandrake 8.1
+ Mandriva Linux Mandrake 8.0 ppc
+ Mandriva Linux Mandrake 8.0
+ Mandriva Linux Mandrake 7.2
+ Mandriva Linux Mandrake 7.1
+ RedHat Linux 7.2 ia64
+ RedHat Linux 7.2 i386
+ RedHat Linux 7.2
+ RedHat Linux 7.1 ia64
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.1 alpha
+ RedHat Linux 7.1
+ RedHat Linux 7.0 i386
+ RedHat Linux 7.0 alpha
+ RedHat Linux 7.0
+ S.u.S.E. Linux 7.3 sparc
+ S.u.S.E. Linux 7.3 ppc
+ S.u.S.E. Linux 7.3 i386
+ S.u.S.E. Linux 7.3
+ S.u.S.E. Linux 7.2 i386
+ S.u.S.E. Linux 7.2
+ Sun Cobalt RaQ 550
+ Sun LX50
+ Trustix Secure Linux 1.5
PHP PHP 4.0.5
PHP PHP 4.0.4
+ Compaq Compaq Secure Web Server PHP 1.0
+ Conectiva Linux 6.0
+ Guardian Digital Engarde Secure Linux 1.0.1
+ S.u.S.E. Linux 7.2
+ S.u.S.E. Linux 7.1 x86
+ S.u.S.E. Linux 7.1 sparc
+ S.u.S.E. Linux 7.1 ppc
+ S.u.S.E. Linux 7.1 alpha
+ S.u.S.E. Linux 7.1
+ S.u.S.E. Linux 7.0 sparc
+ S.u.S.E. Linux 7.0 ppc
+ S.u.S.E. Linux 7.0 i386
+ S.u.S.E. Linux 7.0 alpha
+ S.u.S.E. Linux 7.0
PHP PHP 4.0.3 pl1
+ S.u.S.E. Linux 6.4 ppc
+ S.u.S.E. Linux 6.4 i386
+ S.u.S.E. Linux 6.4 alpha
+ S.u.S.E. Linux 6.4
PHP PHP 4.0.3
+ Debian Linux 2.2 sparc
+ Debian Linux 2.2 powerpc
+ Debian Linux 2.2 IA-32
+ Debian Linux 2.2 arm
+ Debian Linux 2.2 alpha
+ Debian Linux 2.2 68k
+ Debian Linux 2.2
+ Sun Cobalt Control Station 4100CS
+ Sun Cobalt Qube3 Japanese 4000WGJ
+ Sun Cobalt Qube3 Japanese w/ Caching and RAID 4100WGJ
+ Sun Cobalt Qube3 Japanese w/Caching 4010WGJ
+ Sun Cobalt RaQ XTR 3500R
+ Sun Cobalt RaQ XTR Japanese 3500R-ja
PHP PHP 4.0.2
PHP PHP 4.0.1 pl2
PHP PHP 4.0.1 pl1
PHP PHP 4.0.1
+ Sun Cobalt Qube3 4000WG
+ Sun Cobalt Qube3 w/ Caching and RAID 4100WG
+ Sun Cobalt Qube3 w/Caching 4010WG
+ Sun Cobalt RaQ4 3001R
+ Sun Cobalt RaQ4 Japanese RAID 3100R-ja
+ Sun Cobalt RaQ4 RAID 3100R
PHP PHP 4.0 0
Conectiva Linux 10.0
Conectiva Linux 9.0
Avaya S8710 R2.0.1
Avaya S8710 R2.0.0
Avaya S8700 R2.0.1
Avaya S8700 R2.0.0
Avaya S8500 R2.0.1
Avaya S8500 R2.0.0
Avaya S8300 R2.0.1
Avaya S8300 R2.0.0
Avaya Modular Messaging (MSS) 2.0
Avaya Modular Messaging (MSS) 1.1
Avaya MN100
Avaya Intuity LX
Avaya Converged Communications Server 2.0

- 漏洞讨论

It is reported that cURL allows malicious users to bypass 'open_basedir' restrictions in PHP scripts. This issue is due to a failure of the cURL module to properly enforce PHPs 'open_basedir' restriction.

Users with the ability to create or modify PHP scripts on a server computer hosting the vulnerable software can reportedly exploit this vulnerability to bypass the 'open_basedir' restriction, and access arbitrary files with the privileges of the web server. This may aid them in further attacks.

This vulnerability possibly results in a false sense of security, as administrators expect that the restrictions in place prevent malicious users from gaining access to sensitive information.

- 漏洞利用

An exploit is not required. An example PHP script containing cURL functions sufficient to read arbitrary files was provided:

&lt;?php
$ch = curl_init("file:///etc/parla");
$file=curl_exec($ch);
echo $file
?&gt;

- 解决方案

Avaya has released an advisory (ASA-2005-136) that acknowledges this vulnerability for Avaya products. Please see the referenced Avaya advisory for further details.

Conectiva has released an advisory (CLSA-2005:955) and fixes to address this and other issues. Please see the referenced advisory for further information regarding obtaining and applying appropriate updates.

Ubuntu Linux has released advisory USN-66-1 to address this, and other issues. Please see the referenced advisory for further information.

Ubuntu has released advisory USN-66-2 to release new fixes for this issue. The fixes included in the previous Ubuntu advisory USN-66-1 still allow for some variants of this issue to occur. Please see the referenced advisory for more information.

Fedora has released Fedora Legacy advisory FLSA:2344 to address various issues in Red Hat Linux 7.3, Red Hat Linux 9.0 and Fedora Core 1 for the i386 architecture. Please see the referenced advisory for more information.

Red Hat released advisory RHSA-2005:405-06 as well as fixes to address this and other issues on Red Hat Linux Enterprise platforms. Customers who are affected by this issue are advised to apply the appropriate updates. Customers subscribed to the Red Hat Network may apply the appropriate fixes using the Red Hat Update Agent (up2date). Please see referenced advisories for additional information.

SGI has released an advisory 20050501-01-U including updated SGI ProPack 3
Service Pack 5 packages to address this BID and other issues. Please see
the referenced advisory for more information.


PHP PHP 4.1.2

PHP PHP 4.2.2

PHP PHP 4.3.3

PHP PHP 4.3.8

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站