PHP cURL Encoded NULL Character Safe_Mode Restriction Bypass Vulnerability

Bugtraq ID:	18116
Class:	Input Validation Error
CVE:	CVE-2006-2563
Remote:	No
Local:	Yes
Published:	May 27 2006 12:00AM
Updated:	Sep 01 2006 04:48PM
Credit:	Maksymilian Arciemowicz (cXIb8O3) discovered this vulnerability.
Vulnerable:	Ubuntu Ubuntu Linux 5.10 sparc Ubuntu Ubuntu Linux 5.10 powerpc Ubuntu Ubuntu Linux 5.10 i386 Ubuntu Ubuntu Linux 5.10 amd64 Ubuntu Ubuntu Linux 5.0 4 powerpc Ubuntu Ubuntu Linux 5.0 4 i386 Ubuntu Ubuntu Linux 5.0 4 amd64 Ubuntu Ubuntu Linux 6.06 LTS sparc Ubuntu Ubuntu Linux 6.06 LTS powerpc Ubuntu Ubuntu Linux 6.06 LTS i386 Ubuntu Ubuntu Linux 6.06 LTS amd64 PHP PHP 5.1.4 PHP PHP 4.4.2 Mandriva Linux Mandrake 2006.0 x86_64 Mandriva Linux Mandrake 2006.0 Mandriva Linux Mandrake 10.2 x86_64 Mandriva Linux Mandrake 10.2 MandrakeSoft Multi Network Firewall 2.0 MandrakeSoft Corporate Server 3.0 x86_64 MandrakeSoft Corporate Server 3.0
Not Vulnerable:

PHP cURL Encoded NULL Character Safe_Mode Restriction Bypass Vulnerability

PHP cURL is prone to a safe_mode restriction-bypass vulnerability. Successful exploitation could allow an attacker to access sensitive information.

This issue is reported to affect PHP versions 4.4.2 and 5.1.4; other versions may also be vulnerable.

PHP cURL Encoded NULL Character Safe_Mode Restriction Bypass Vulnerability

An attacker exploits this issue through standard PHP scripting methods.

PHP cURL Encoded NULL Character Safe_Mode Restriction Bypass Vulnerability

Solution:
The vendor has applied a fix for this issue in the CVS repository. Users of affected packages should contact the vendor for information on obtaining and applying fixes.

Please see the referenced advisories for more information.

PHP cURL Encoded NULL Character Safe_Mode Restriction Bypass Vulnerability

References:

• PHP ext/curl/interface.c revision log (PHP)
  
• PHP Homepage (PHP)
  
• revision 1.62.2.15 (PHP)
  
• cURL Safe Mode Bypass PHP 4.4.2 and 5.1.4 ([email protected])