PHP 4.0 with cURL functions allows remote attackers to bypass the open_basedir setting and read arbitrary files via a file: URL argument to the curl_init function. You can verify this issue with this simple php example. <?php $ch = curl_init("file:///etc/parla"); $file=curl_exec($ch); echo $file ?>
Created attachment 110975 [details] Patch from ubuntu to fix this issue
This issue should also affect RHEL2.1.
Created attachment 111457 [details] Updated patch for CAN-2004-1392 from Ubuntu advisory USN-66-2
Safe mode bypasses are not considered to have "security" severity, since the PHP interpreter does not really provide a sandbox in which scripts are executed.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2005-405.html