Usually, curl is used to connect and retrieve data from a remote URL
using the http protocol. However, curl supports a bunch of protocols.
One of these protocols is the file protocol. Using this protocol you can
read local files by using an URL like file:///etc/passwd. Therefore, if
the user can control the URL passed to curl_exec, in some cases (if the
content is echoed back) he can read local files.
While testing our AcuSensor technology on different applications, I=E2=80=99ve
found a real-life example of a vulnerable application. I=E2=80=99m talking
about Zen Cart.
Zen Cart is an open source online store management system. It is
PHP-based, using a MySQL database and HTML components. Support is
provided for several languages and currencies, and it is freely
available under the GNU General Public License.
Zen Cart contains a directory named extras where there are different
test scripts. One of these scripts is curltest.php. This script is used
for testing is the curl PHP library is installed and is working properly.
$url = (isset($_GET['url'])) ? urldecode($_GET['url']) : $defaultURL;
// Send CURL communication
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_VERBOSE, 0);
$result = curl_exec($ch);
$errtext = curl_error($ch);
$errnum = curl_errno($ch);
$commInfo = @curl_getinfo($ch);
if ($url != $defaultURL) echo $result . 'EOF';
As you can see above, the URL passed to the curl_setopt (CURLOPT_URL)
function and later used by curl_exec comes from user input ($_GET['url']).
Also, the file contents (saved in the $result) are echoed back to the
user. Therefore we can read the contents of any file from the remote
server by issuing an request like:
The extras directory contains other test scripts. One of them, named
ipn_test_return.php, is not properly written and will display an error
message when called directly:
If you issue a request like
you will receive the following error message:
Fatal error: require() [function.require]: Failed opening required =E2=80=98includes/application_top.php=E2=80=99 (include_path==E2=80=99.:/usr/share/php:/usr/share/pear=E2=80=99) in /var/www/bld/bld02/zen-cart/extras/ipn_test_return.php on line 14
This error message reveals the local path, so now we know where the application is installed. This could be useful to read the contents of the configuration file (includes/configure.php). This file contains the database credentials. If the Zen Cart database is not stored on the local server, it=E2=80=99s possible to access the database remotely. Also, even without the file:// protocol, it=E2=80=99s possible to access hosts behind the firewall by issuing requests like http://website/zen-cart/extras/curltest.php?url=http://192.168.0.1 or http://website/zen-cart/extras/curltest.php?url=http://192.168.1.1. The vendor released a security alert after being notified by us. They advise users to completely remove the extras directory as it=E2=80=99s not required by Zen Cart and it was distributed only for troubleshooting. The security alert can be found at: http://www.zen-cart.com/forum/showthread.php?t=142784 -- Bogdan Calin - firstname.lastname@example.org CTO Acunetix Ltd. - http://www.acunetix.com Acunetix Web Security Blog - http://www.acunetix.com/blog