Usually, curl is used to connect and retrieve data from a remote URL
using the http protocol. However, curl supports a bunch of protocols.
One of these protocols is the file protocol. Using this protocol you can
read local files by using an URL like file:///etc/passwd. Therefore, if
the user can control the URL passed to curl_exec, in some cases (if the
content is echoed back) he can read local files.
While testing our AcuSensor technology on different applications, I’ve
found a real-life example of a vulnerable application. I’m talking
about Zen Cart.
Zen Cart is an open source online store management system. It is
PHP-based, using a MySQL database and HTML components. Support is
provided for several languages and currencies, and it is freely
available under the GNU General Public License.
Zen Cart contains a directory named extras where there are different
test scripts. One of these scripts is curltest.php.
Read more »