CVE-2004-1392
Description
PHP 4.0 with cURL functions bypasses open_basedir restriction, allowing remote attackers to read arbitrary files via file:// URL in curl_init().
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
PHP 4.0 with cURL functions bypasses open_basedir restriction, allowing remote attackers to read arbitrary files via file:// URL in curl_init().
Vulnerability
The cURL module in PHP 4.0 fails to respect the open_basedir configuration directive when the curl_init() function is called with a file:// URL. This allows scripts that accept user-supplied paths to read arbitrary files outside the allowed directory. Affected versions include PHP 4.0 up to 4.3.8 (as per Ubuntu advisory) [1]. The issue is present when PHP is compiled with cURL support.
Exploitation
An attacker can exploit this by crafting a request to a PHP script that uses curl_init() with an attacker-controlled URL, specifying file:///etc/passwd (or any local file). No special privileges or authentication are required; the attacker only needs to be able to send HTTP requests to the vulnerable script. The proof-of-concept code from [4] demonstrates this: curl_init("file:///etc/parla") followed by curl_exec() retrieves the file content.
Impact
Successful exploitation leads to unauthorized disclosure of arbitrary file contents on the server, bypassing the open_basedir restriction. This can expose sensitive information such as configuration files, credentials, or application source code. The attacker gains read access to files that the web server user can read, potentially leading to further compromise.
Mitigation
The vulnerability is fixed in PHP 4.3.8-3ubuntu7.3 for Ubuntu 4.10 [1]. Other distributions released patches accordingly. Users should upgrade to the latest patched version of PHP. If upgrading is not possible, avoid passing user-supplied data to curl_init() or disable the file:// protocol handler in cURL. No KEV listing is known.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
15cpe:2.3:a:php:php:4.0:*:*:*:*:*:*:*+ 13 more
- cpe:2.3:a:php:php:4.0:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.0.1:patch1:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.0.1:patch2:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.0.3:patch1:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.0.7:rc1:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.0.7:rc2:*:*:*:*:*:*
- cpe:2.3:a:php:php:4.0.7:rc3:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing enforcement of open_basedir restriction on file:// URLs passed to the cURL function curl_init."
Attack vector
An attacker who can upload or inject PHP code onto a server where open_basedir is configured can bypass that restriction by calling curl_init() with a file:// URL [ref_id=1]. The cURL library fetches the local file and returns its contents via curl_exec(), ignoring the PHP-level open_basedir directive. The attacker only needs the ability to execute arbitrary PHP code (e.g., via a file upload or a web shell) and network access to the target server's PHP interpreter.
Affected code
The advisory [ref_id=1] identifies the curl_init() function as the entry point. The underlying defect is in the cURL extension's handling of file:// protocol URLs, which bypasses PHP's open_basedir security check. No specific source file or patch is provided in the bundle.
What the fix does
No patch is included in the bundle. The advisory [ref_id=1] reports that PHP 4.0 with cURL functions does not apply the open_basedir check to file:// URLs handled by the cURL extension. The remediation would require PHP's cURL wrapper to validate the resolved file path against the configured open_basedir directories before allowing the cURL operation to proceed, or to disallow file:// URLs entirely when open_basedir is active.
Preconditions
- configPHP must be compiled with cURL support and open_basedir must be configured in php.ini.
- authThe attacker must be able to execute arbitrary PHP code on the target server (e.g., via file upload or existing web shell).
- networkThe attacker must have HTTP access to the PHP script on the target server.
- inputThe attacker supplies a file:// URL as the argument to curl_init().
Reproduction
Create a PHP file (e.g., curl.php) containing: <?php $ch = curl_init("file:///etc/parla"); $file=curl_exec($ch); echo $file ?>. Place it in a web-accessible directory on a server where open_basedir is set to a restricted path (e.g., /var/www/html) and the cURL extension is enabled. Access the script via a web browser; the contents of /etc/parla (or any other file outside the open_basedir restriction) will be displayed [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- bugzilla.fedora.us/show_bug.cginvdPatch
- securitytracker.com/idnvdExploit
- www.securityfocus.com/bid/11557nvdExploitPatch
- marc.infonvd
- marc.infonvd
- www.redhat.com/support/errata/RHSA-2005-405.htmlnvd
- www.redhat.com/support/errata/RHSA-2005-406.htmlnvd
- exchange.xforce.ibmcloud.com/vulnerabilities/17900nvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9279nvd
News mentions
0No linked articles in our index yet.