Portal Home > Knowledgebase > Articles Database > any security issues with curl etension?
any security issues with curl etension?
| Posted by AL-Kateb, 03-06-2010, 08:15 AM |
| Hello everybody, am running shared hosting service and i was recommended to disable the few functions like curl_init and curl_setopt for security reasons .. i tried searching to know what vulnerability might this function cause. though wordpress customers complaining about this function being disabled! cos wordpress is using it to retrieve files like when you do upgrade to a plugin or something like that.
so should i keep disabling this function? and yes i have to mention that i am running PHP in safe mode and i guess safe mode will restrict this function somehow anyway.
so what do u suggest
thanks
|
| Posted by UNIXy, 03-06-2010, 12:16 PM |
| curl_init can be abused by outsiders. One could easily trick curl_init to pull an exploit from the web onto your server and easily run the script from a browser. You're asking for trouble if you're enabling the curl_init function in a non-controlled environment like a shared server.
Regards
Joe / UNIXY
|
| Posted by AL-Kateb, 03-06-2010, 12:36 PM |
| is there a way for me to get around this without disabling this function since it's needed by applications like wordpress!? especially that lots of other functions are disabled .... so what the script he might run will be?
if it's other than php it wont run cos all accounts do not have CGI access, and the dangerous functions in php like system or exec .. etc are disabled.
so what else can he do other than uploading a script? which might happen with normal upload form if not secured?
I'm sorry am not expert but i still did not get the risk in this.
waiting for more clarification if possible.
thanks
|
| Posted by UNIXy, 03-06-2010, 01:02 PM |
| Hi,
I'm not sure I can explain the ramifications clearly but here's an example.
Let's say that one of your customers needs to use curl_init in his/her application to retrieve the weather for a certain visitor's city. So, your customer decides to hard code part of the URL to http://www.weather.com and the rest of the URL based on the city like this:
$city being passed from a webpage form down to the PHP script on the server. There are all sorts of tricks in an attacker's arsenal to somehow overwrite the URL string to make it go to say websitex.com/ and download a c99 shell to be able to remotely access your server. The final URL might look like this:
Then the attacker would simply browse your customer's website and run the c99.php script that was downloaded above:
http://yourcustomersweb.com/c99.php
Regards
Joe / UNIXY
|
| Posted by CodyRo, 03-06-2010, 01:07 PM |
| This is a good example as why poor coding is a security concern, though cURL itself isn't. The same could be said for someone using remote includes, etc.
We don't disable any curl functions, it's a non-issue and never has been.
|
| Posted by AL-Kateb, 03-07-2010, 06:44 AM |
| Now i got it! i thought there's an issue with the function itself ... well if the coder did not filter the user input it's none of the hosting provider problem! right?
and this might happen for any other function like CodyRo said.
Thanks for the clarification UNIXy and CodyRo. i will keep this function enabled since it's needed by important app like wordpress and coders are on their own : ) they got to learn how to filter user's input.
|
Add to Favourites 
Print this Article
Also Read
Shared Hosting
Shared Hosting
