[转载]PHP本地安全目录限制绕过漏洞以及测试代码

信息来源：slythers (at) gmail (dot) com

There is a vulnerability (local safedir restriction bypass) identified within the GD extension affecting

the following functions:
- imagegif()
- imagepng()
- imagejpeg()

in /ext/gd/gd.c line 1647

Which is now fixed in the cvs
http://cvs.php.net/co.php/php-src/ext/gd/gd.c?r=1.312.2.1#1786

POC:
with an image like http://81.57.125.106/~slythers/file.gif
<?php
$im = imagecreatefromgif("file.gif");
imagegif($im, &#39;/var/www/f34r.fr/c/f/elbossoso/.i.need.money.php&#39;);
?>

curl openbasedir and safemode bypass.
POC:
http://www.eviloctal.com/forum/r ... =15607&toread=1

As you notice, we can bypass the safedir which leads to access to any
files on any shared servers.

This is fixed in the cvs.

slythers (at) gmail (dot) com [email concealed]
greets : david coallier <davidc (at) php (dot) net [email concealed]>