发布时间 :2006-05-29 12:02:00
修订时间 :2011-03-07 21:36:30

[原文]The cURL library (libcurl) in PHP 4.4.2 and 5.1.4 allows attackers to bypass safe mode and read files via a file:// request containing null characters.

[CNNVD]PHP cURL library 空字符请求 访问控制绕过漏洞(CNNVD-200605-502)

        PHP 4.4.2和5.1.4中的cURL library (libcurl)可以使攻击者借助包含空字符的file:// 请求,绕过安全模式并读取文件。

- CVSS (基础分值)

CVSS分值: 2.1 [轻微(LOW)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:php:php:4.4.2PHP PHP 4.4.2
cpe:/a:php:php:5.1.4PHP 5.1.4

- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  VUPEN  ADV-2006-2055
(UNKNOWN)  BID  18116
(UNKNOWN)  XF  php-curl-safemode-bypass(26764)
(UNKNOWN)  SREASONRES  20060526 cURL Safe Mode Bypass PHP 4.4.2 and 5.1.4

- 漏洞信息

PHP cURL library 空字符请求 访问控制绕过漏洞
低危 输入验证
2006-05-29 00:00:00 2006-05-30 00:00:00
        PHP 4.4.2和5.1.4中的cURL library (libcurl)可以使攻击者借助包含空字符的file:// 请求,绕过安全模式并读取文件。

- 公告与补丁


- 漏洞信息 (F48439)

Ubuntu Security Notice 320-1 (PacketStormID:F48439)
2006-07-24 00:00:00

Ubuntu Security Notice 320-1 - Multiple vulnerabilities in php4 and php5 have been fixed in Ubuntu.

Ubuntu Security Notice USN-320-1              July 19, 2006
php4, php5 vulnerabilities
CVE-2006-0996, CVE-2006-1490, CVE-2006-1494, CVE-2006-1608,
CVE-2006-1990, CVE-2006-1991, CVE-2006-2563, CVE-2006-2660,
CVE-2006-3011, CVE-2006-3016, CVE-2006-3018

A security issue affects the following Ubuntu releases:

Ubuntu 5.04
Ubuntu 5.10
Ubuntu 6.06 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 5.04:
  libapache2-mod-php4                      4:4.3.10-10ubuntu4.5
  php4-cgi                                 4:4.3.10-10ubuntu4.5
  php4-cli                                 4:4.3.10-10ubuntu4.5

Ubuntu 5.10:
  libapache2-mod-php5                      5.0.5-2ubuntu1.3
  php5-cgi                                 5.0.5-2ubuntu1.3
  php5-cli                                 5.0.5-2ubuntu1.3
  php5-curl                                5.0.5-2ubuntu1.3

Ubuntu 6.06 LTS:
  libapache2-mod-php5                      5.1.2-1ubuntu3.1
  php5-cgi                                 5.1.2-1ubuntu3.1
  php5-cli                                 5.1.2-1ubuntu3.1
  php5-curl                                5.1.2-1ubuntu3.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

The phpinfo() PHP function did not properly sanitize long strings. A
remote attacker could use this to perform cross-site scripting attacks
against sites that have publicly-available PHP scripts that call
phpinfo(). Please note that it is not recommended to publicly expose
phpinfo(). (CVE-2006-0996)

An information disclosure has been reported in the
html_entity_decode() function. A script which uses this function to
process arbitrary user-supplied input could be exploited to expose a
random part of memory, which could potentially reveal sensitive data.

The wordwrap() function did not sufficiently check the validity of the
'break' argument. An attacker who could control the string passed to
the 'break' parameter could cause a heap overflow; however, this
should not happen in practical applications. (CVE-2006-1990)

The substr_compare() function did not sufficiently check the validity
of the 'offset' argument. A script which passes untrusted user-defined
values to this parameter could be exploited to crash the PHP
interpreter. (CVE-2006-1991)

In certain situations, using unset() to delete a hash entry could
cause the deletion of the wrong element, which would leave the
specified variable defined. This could potentially cause information
disclosure in security-relevant operations. (CVE-2006-3017)

In certain situations the session module attempted to close a data
file twice, which led to memory corruption. This could potentially be
exploited to crash the PHP interpreter, though that could not be
verified. (CVE-2006-3018)

This update also fixes various bugs which allowed local scripts
to bypass open_basedir and 'safe mode' restrictions by passing special
arguments to tempnam() (CVE-2006-1494, CVE-2006-2660), copy()
(CVE-2006-1608), the curl module (CVE-2006-2563), or error_log()

Updated packages for Ubuntu 5.04:

  Source archives:
      Size/MD5:   281888 6b2f9b14e6b17fd16b39fc992370c700
      Size/MD5:     1469 e107321f5a864fec29aba0ddc4557bda
      Size/MD5:  4892209 73f5d1f42e34efa534a09c6091b5a21e

  Architecture independent packages:
      Size/MD5:     1128 e68858ad284ff509a9a7ba6004cd85b3

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)
      Size/MD5:  1657574 00032fa4aca5c15403f290cae27bfe38
      Size/MD5:  3275318 be667056767f298619d7c48d73f22c00
      Size/MD5:  1647612 d615fd92ad1609108ec1e877ce748ade
      Size/MD5:   168182 ad4bd0b977814c2c3379235d76cf2ed2
      Size/MD5:   348270 03f94109b0ea8c73d8d88e50e10efede

  i386 architecture (x86 compatible Intel/AMD)
      Size/MD5:  1592870 c6b451acf5d81078e94fb5a54b95d6a2
      Size/MD5:  3169782 cf7f5272636d079f7c63b64e9223b7d9
      Size/MD5:  1592870 e05d13859444b3099f5b1a97b0d837ca
      Size/MD5:   168172 b8c9e8464a33ec55dfabbada52ee8daa
      Size/MD5:   348248 204bfc480c4836584bd602c8889ccb66

  powerpc architecture (Apple Macintosh G3/G4/G5)
      Size/MD5:  1659004 638144a3de0f22ba6de5205a3ae49aa6
      Size/MD5:  3278846 8bc3694c01c50a02a2cfcba348c4ca04
      Size/MD5:  1646202 e56983733773b5e9d503b3d79e46d40b
      Size/MD5:   168182 7845a86818f44b188e0e2b8a4ab9362b
      Size/MD5:   348282 e4f04ccf48c23120b57a644ea02aeb10

Updated packages for Ubuntu 5.10:

  Source archives:
      Size/MD5:   107447 9032c71ebc4f7cbabe69cf553ca53bb6
      Size/MD5:     1707 3101f858bd7f41d4d9596899e6fd545c
      Size/MD5:  6082082 ae36a2aa35cfaa58bdc5b9a525e6f451

  Architecture independent packages:
      Size/MD5:   173678 bf244c954f00526ebfb99d054610cb22
      Size/MD5:     1040 17d3d2c9eb5aaeea047f7b95df5d7c4b

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)
      Size/MD5:  2013202 1b04af5e687093f08538931e36dc70b0
      Size/MD5:  3972082 08c12a61c249e2da0dd8aa3bb716f385
      Size/MD5:  1996996 6450642ae567b85ea5d9297c6f23f67a
      Size/MD5:   128432 e2d07624f754c9d73b48107042e71b99
      Size/MD5:    24026 8d2d964e492961d6cf1f10bb73e579e7
      Size/MD5:   218782 a82953cc5cc39025399ea5f8a4f2d7d7
      Size/MD5:    35562 1790527d4ff6025ec4939551be47903a
      Size/MD5:    20666 0a674c8481ebd5386174b6cdc5ac6823
      Size/MD5:     8614 45094af5e7c8cc5d4b2918474acb9a83
      Size/MD5:    24474 59143733316c412dd1d1bd909b88a50f
      Size/MD5:    29288 ef96b5317173c70120473b5477039975
      Size/MD5:    40076 1c97310bf8ba44a567aef83ac0be675f
      Size/MD5:     8094 854a549449f48f8a73aeec3f6233c62b
      Size/MD5:    14472 bb882674e6d1046b60d34456f9fc08db
      Size/MD5:    28156 5a1d8b3542e1dd150831a2e732196b79
      Size/MD5:    22216 791efc45078dacdaff1e46ce67765ae3
      Size/MD5:    41902 3ecdf309ebf41cd8a282ba1afb3e007c
      Size/MD5:    15094 ba2f77b039cbfa625af0a9f652370a18

  i386 architecture (x86 compatible Intel/AMD)
      Size/MD5:  1868910 8b5e823a4ecd09e0c6f6926858a789dc
      Size/MD5:  3710078 81225be7db368cba84d533a277b539b8
      Size/MD5:  1864350 72b2f25953949657d9c260e3bca1ec05
      Size/MD5:   128444 98ee9ba50b6aa5f1660192e5ea5978b8
      Size/MD5:    22202 d6a0c0f2b2ccbaf12cae065324a5b3a3
      Size/MD5:   218774 c0f60ce8d9d50b4b49e9540cc2a36dfc
      Size/MD5:    31616 5f0ea2409a615bf3544c564e4bd6ea2b
      Size/MD5:    18544 28ae6c10fc23a0b6f4e62df7b1ff50bf
      Size/MD5:     8244 01bed809de0a316fde10ddd8071be09f
      Size/MD5:    21282 146de2727a59411b6fced0296878a233
      Size/MD5:    26388 4db6f8a93ecad07526ec57914238bdb6
      Size/MD5:    36046 ccd2c3e48ff4933d8024f4bf9e63a71c
      Size/MD5:     7854 7a57748c192cafa2bd51767fc5ee6a59
      Size/MD5:    13368 5d36642b8746d79f9a0bf6f7e8bcaea9
      Size/MD5:    24738 57ce594aae02451cd2d2bae081c37e7a
      Size/MD5:    20116 dbfce571c4049001a372ee7967257d65
      Size/MD5:    37496 587fedbd13ea5dacd40a9393df82ea1d
      Size/MD5:    14022 3e7e78ae38565fd50824d23af99baf77

  powerpc architecture (Apple Macintosh G3/G4/G5)
      Size/MD5:  1984118 d16a481d0e1f6bc2a6d37edb3c6f6a52
      Size/MD5:  3908380 c26873ccce65fb6b16592afb9c1dc934
      Size/MD5:  1962282 24a0ba0276705ab6fb6c2f91e1e96720
      Size/MD5:   128432 6c40b57a02306a68517be57f61f9e409
      Size/MD5:    25952 ae39a138cdfc0a964d8c45eb1b238342
      Size/MD5:   218814 8d26a46db1d8db1d234255d1caf50006
      Size/MD5:    35494 adf50b6a3144f59e68d0d94333bbf1fd
      Size/MD5:    21140 37a079fcf2d9dda260b9c971b78b04b2
      Size/MD5:    10008 e5cc8f38385453bc9900d072b169d087
      Size/MD5:    23966 285fcc837cf6aa792801b42066be1cc2
      Size/MD5:    29358 bd0b0075fe949d0c5079b373e1eac447
      Size/MD5:    39792 15013eb73dbb8ccd38fa26cfeb9e061a
      Size/MD5:     9508 59d83f23ba86aee8e9082a464296ffb2
      Size/MD5:    15304 b1bed8592aa79f6d9ab3e7f5bc074936
      Size/MD5:    28400 abc0f2c8a00d634a8eb4d6c11190a559
      Size/MD5:    23186 64d8774f133a3315a91bc893542d9b0d
      Size/MD5:    40472 759acb5a0518651ff51ecfa287f83254
      Size/MD5:    15892 4662f678768b93805f9983ca867cea70

  sparc architecture (Sun SPARC/UltraSPARC)
      Size/MD5:  1928324 40cdf5f5e1f5f15b2980f1f5ed3309bb
      Size/MD5:  3782352 dfe9afcf83981de0aff528458fbe33ef
      Size/MD5:  1901420 251ad5a78ef8aa596e5604c624d8030f
      Size/MD5:   128438 30d7f2c25b2592c687e4b4e0d709ad34
      Size/MD5:    23976 10399bd0128b487ab28b2e1a5236c4f4
      Size/MD5:   218786 ba524eec8df9827b2b7ce6407c7d3219
      Size/MD5:    32018 a179ec8b26bdcf1a069b7042cd34acaa
      Size/MD5:    18718 19acc471bd2c479bc67d8b3edf919397
      Size/MD5:     8164 c7b47f1d0dc1c7b77c6cbbe07d8c1043
      Size/MD5:    21580 08f3c66f7e4554bf5cc3b2a54fa5aa8c
      Size/MD5:    26094 cc6312b1cefe8459a97b6a0327a9f587
      Size/MD5:    36988 9e67e420e59473e707de1c75651c910c
      Size/MD5:     7810 dec138fbd786be76f7e9d538f5d6b8e7
      Size/MD5:    13248 52397133b112407c1bf05cf10d762c56
      Size/MD5:    25108 35b7aee4da74b319bbec67f4d90baf5d
      Size/MD5:    20342 536679e33d910473c5e82a94bbc7aac8
      Size/MD5:    37774 537748c5219e8e770d4a6134b19d718a
      Size/MD5:    13880 b809cf6e7019f3c81bdc1435ee6e49c6

Updated packages for Ubuntu 6.06 LTS:

  Source archives:
      Size/MD5:   102328 0355a96821276d519f8c8782a4b6e81a
      Size/MD5:     1768 36e92785f0566e85a217ca71e9a5c2b2
      Size/MD5:  8064193 b5b6564e8c6a0d5bc1d2b4787480d792

  Architecture independent packages:
      Size/MD5:   301884 c046bd6ffadcc67a3e92d11c97056433
      Size/MD5:     1040 adf10698f586c659825d6bb419c57e02

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)
      Size/MD5:  2431682 61f5733a352dfeb55319e64962b07b16
      Size/MD5:  4753556 5e3dbc03330025849e16f4273e8281f9
      Size/MD5:  2386436 f918005d73af393b95fee5804a6a19c6
      Size/MD5:   132220 18e09e8a61fd7c35b0324be125f6cbca
      Size/MD5:    24622 34a3fe2d2c339f5815794880c16ccf3c
      Size/MD5:   312566 ec860e3b87e3fa338678d8676c5bd544
      Size/MD5:    36810 ce539b52c64ab961a98e0dadca8ed009
      Size/MD5:    22136 7f162265c6fcf1d1250b474fdf199ee1
      Size/MD5:     8784 852555dbda7dbd246e372d6bb5d30498
      Size/MD5:    25248 16b3d4dcbc2a82d1b57cc0355442baec
      Size/MD5:    43910 b7402ad95554596e4f06caee3f589363
      Size/MD5:    30158 f7e60578d375c361d0548c59a6880334
      Size/MD5:    44398 a314d6426cff9d0ef51b867362ddcaea
      Size/MD5:     8352 9370cc7ea8af2b810a12036331a85951
      Size/MD5:    15302 6cabda8e5d79d6ed825762a29f64d296
      Size/MD5:    29190 fa1f6b745e4c3bb3e95a78ecb05e170c
      Size/MD5:    22708 07dbc134b2c52e87074b2b6c1fd9759c
      Size/MD5:    42308 440aac6d2be4437c9fa7d35be03335e5
      Size/MD5:    16396 23d10221afc2804bcee2c8a7cf997d97

  i386 architecture (x86 compatible Intel/AMD)
      Size/MD5:  2259588 02b7a2baeaff3c83b9ddaa22b8177f39
      Size/MD5:  4468596 70f930ba44a061b2fb294dae395a2fb2
      Size/MD5:  2244730 87f343eaef3ef8361af79dab8e329763
      Size/MD5:   132234 3e5286b58f2debadf1fecbd5e5f19873
      Size/MD5:    22842 e6520ae7794215acce0228569bb16b19
      Size/MD5:   312576 36c5959173a9383e85172518e357592a
      Size/MD5:    32836 879e7bf19c11a05c3988a86401057c71
      Size/MD5:    19794 7d3e9991018ec3c7b28b4236ba42ba6a
      Size/MD5:     8366 20b5da5c59948e9463330203bcc52f51
      Size/MD5:    21996 76a2f1b592388e212d9aa558773cd691
      Size/MD5:    37370 665de02ca6688d7dd03146129c5d6e76
      Size/MD5:    27040 562863ebc8be1abcd735dae15709b5a4
      Size/MD5:    39792 53415a11f8951244b21e75adbde8cdc0
      Size/MD5:     8058 f4a6f2df08fa4f9657c160bb837fc8cf
      Size/MD5:    14168 985dc01b4e0950f934037a4639fcc7f4
      Size/MD5:    25628 c825ff65ace9081b91576008920ec6c9
      Size/MD5:    20540 b13924d0aa87a8383df3f84b948aa218
      Size/MD5:    37816 480b6ce2cef7ee6dd98f029e04c62d98
      Size/MD5:    15134 55b262b92bb36b627feac23934aca18c

  powerpc architecture (Apple Macintosh G3/G4/G5)
      Size/MD5:  2396144 98d336c16a7ffdd772ba2994cc8ba9e5
      Size/MD5:  4688852 02f69483799090043d629d5a78853001
      Size/MD5:  2353148 e8a5f6a2963c0d9d723684db12c4065d
      Size/MD5:   132238 6c474d0c1ceb008f97f85b73fe685d06
      Size/MD5:    26616 c76a09aae09a8d0c1195dffa84f0ef80
      Size/MD5:   312580 4c46d8cfdaf7e847ec08eb3011e5b82d
      Size/MD5:    36444 b29354b8387fa985edfcfd3bcd982880
      Size/MD5:    22552 74405a985740b8b5e68d96a01c90dbd1
      Size/MD5:    10130 7afc71f7637ceed408c11a33c3c9e2d1
      Size/MD5:    24826 1fc02301ddcb57909c64e1ad7a0a190a
      Size/MD5:    41780 f069234c7a4e854a09dd3c7b67252102
      Size/MD5:    30092 48d14802bd5ef71ab8520af43f715214
      Size/MD5:    43422 55f51396fc3c0dbcbdab69bc0ff2ea3d
      Size/MD5:     9796 ad782f777da9399b3927dadd8319c959
      Size/MD5:    15948 e4036cfad191d63b79396cf428c1e0f8
      Size/MD5:    29438 77015416fc800ead0f816d713daa9714
      Size/MD5:    23590 a02c781267ee06af613d1706223afef5
      Size/MD5:    40910 ffc934955f7391c3ccfb10c202c5851a
      Size/MD5:    17252 f170632b7c712aeb2a6764f9df25d264

  sparc architecture (Sun SPARC/UltraSPARC)
      Size/MD5:  2321540 1a985c6410df8ac88e66358d75065d7e
      Size/MD5:  4529942 ba819957408a9c584a7a006b15b4a30b
      Size/MD5:  2274782 bb45955ca66a4f9b8355297e77c0f092
      Size/MD5:   132240 9867c156a4cc9edb521740795fe0ddf3
      Size/MD5:    24556 12e7e7c0f1d20a7cd90851bfc265ef79
      Size/MD5:   312580 3d2382fc7b5868d9e132e45985ad6333
      Size/MD5:    33244 db1e7ba5423cd5baa3cb7fdf37e0a62e
      Size/MD5:    20096 15a1c6fb8c76c258e9f5f03b19991628
      Size/MD5:     8372 c3115469f0537c3149c5c3b5925139ae
      Size/MD5:    22366 df8c324f4ebf1e72a636e450fab6223e
      Size/MD5:    38660 9f3224345c16299e3fade95af39d28f1
      Size/MD5:    26832 5a9106fc1fe568452732fcf791a6c118
      Size/MD5:    40606 07ed68f2791ee9594a81d06e6d37e623
      Size/MD5:     8106 b905601f9bf6736d8f65603233770144
      Size/MD5:    14062 7dfdcf22b1f527847cc0bb5cf8492bbe
      Size/MD5:    25966 7a8200a4a4c254e533d9b377f4c6367d
      Size/MD5:    20796 8719c1a73d810392dec3a243e49d3d5f
      Size/MD5:    38034 e54cb9bced89ebbe1f541dd9faa67be3
      Size/MD5:    15084 c19d460afff6d12e6077432042e19b76


- 漏洞信息

PHP cURL Library (libcurl) curl_init() Safe Mode Bypass

- 漏洞描述

PHP contains a flaw that may allow an attacker to bypass security restrictions. The issue is due to the cURL library (libcurl) not properly sanitizing user-supplied input to the curl_init() function. By passing a crafted file name to the function, an attacker can bypass safe mode restrictions and read arbitrary files via a file:// request and null characters.

- 时间线

2006-05-26 Unknow
2006-05-26 Unknow

- 解决方案


Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

PHP cURL Encoded NULL Character Safe_Mode Restriction Bypass Vulnerability
Input Validation Error 18116
No Yes
2006-05-27 12:00:00 2006-09-01 04:48:00
Maksymilian Arciemowicz (cXIb8O3) discovered this vulnerability.

- 受影响的程序版本

Ubuntu Ubuntu Linux 5.10 sparc
Ubuntu Ubuntu Linux 5.10 powerpc
Ubuntu Ubuntu Linux 5.10 i386
Ubuntu Ubuntu Linux 5.10 amd64
Ubuntu Ubuntu Linux 5.0 4 powerpc
Ubuntu Ubuntu Linux 5.0 4 i386
Ubuntu Ubuntu Linux 5.0 4 amd64
Ubuntu Ubuntu Linux 6.06 LTS sparc
Ubuntu Ubuntu Linux 6.06 LTS powerpc
Ubuntu Ubuntu Linux 6.06 LTS i386
Ubuntu Ubuntu Linux 6.06 LTS amd64
PHP PHP 5.1.4
PHP PHP 4.4.2
Mandriva Linux Mandrake 2006.0 x86_64
Mandriva Linux Mandrake 2006.0
Mandriva Linux Mandrake 10.2 x86_64
Mandriva Linux Mandrake 10.2
MandrakeSoft Multi Network Firewall 2.0
MandrakeSoft Corporate Server 3.0 x86_64
MandrakeSoft Corporate Server 3.0

- 漏洞讨论

PHP cURL is prone to a safe_mode restriction-bypass vulnerability. Successful exploitation could allow an attacker to access sensitive information.

This issue is reported to affect PHP versions 4.4.2 and 5.1.4; other versions may also be vulnerable.

- 漏洞利用

An attacker exploits this issue through standard PHP scripting methods.

- 解决方案

The vendor has applied a fix for this issue in the CVS repository. Users of affected packages should contact the vendor for information on obtaining and applying fixes.

Please see the referenced advisories for more information.

- 相关参考