PHP curl_exec() url is controlled by user

Description

Manual confirmation is required for this alert.

This script is using the PHP function curl_exec(). The url used by curl is based on user input. This is not recommended as it can lead to various vulnerabilities.

For example, an attacker can use the file:// protocol to read arbitrary files from the server (by using an url like file:///etc/passwd). It's also possible to access computers behind the firewall using URLs like http://192.168.0.1 or ftp://192.168.0.1.

An older version of libcurl compiled to support SCP can get tricked to get a file using embedded semicolons, which can lead to execution of commands on the given server. "scp://name:passwd@host/a'``;date >/tmp/test``;'".

Remediation

The user should not be able to control the url used by curl_exec(). You need to review the source code of this script and make the necessary adjustments. If possible, you should create a whitelist of accepted URLs and/or deny the usage of file:// protocol.

References