PHP FOpen Safe_Mode Restriction-Bypass Vulnerability

Bugtraq ID:	22261
Class:	Input Validation Error
CVE:	CVE-2007-0448
Remote:	No
Local:	Yes
Published:	Jan 26 2007 12:00AM
Updated:	May 23 2007 07:37PM
Credit:	Maksymilian Arciemowicz discovered this vulnerability.
Vulnerable:	PHP PHP 5.2 + Debian Linux 4.0 sparc + Debian Linux 4.0 s/390 + Debian Linux 4.0 powerpc + Debian Linux 4.0 mipsel + Debian Linux 4.0 mips + Debian Linux 4.0 m68k + Debian Linux 4.0 ia-64 + Debian Linux 4.0 ia-32 + Debian Linux 4.0 hppa + Debian Linux 4.0 arm + Debian Linux 4.0 amd64 + Debian Linux 4.0 alpha + Debian Linux 4.0 Pardus Linux 2007.1
Not Vulnerable:

PHP FOpen Safe_Mode Restriction-Bypass Vulnerability

PHP is prone to a 'safe_mode' restriction-bypass vulnerability. Successful exploits could allow an attacker to write files in unauthorized locations; other attacks may also be possible.

This vulnerability would be an issue in shared-hosting configurations where multiple users can create and execute arbitrary PHP script code, all assuming that the 'safe_mode' restriction will isolate users from each other.

This issue is reported to affect PHP version 5.2.0; other versions may also be vulnerable.

PHP FOpen Safe_Mode Restriction-Bypass Vulnerability

Attackers may exploit this issue with standard PHP code.

The following function call demonstrates this issue:

php -r 'fopen("srpath://../../../../../../../dir/pliczek", "a");'

PHP FOpen Safe_Mode Restriction-Bypass Vulnerability

Solution:
Please see the references for details.

PHP FOpen Safe_Mode Restriction-Bypass Vulnerability

References:

• PHP 5.2.0 safe_mode bypass (by Writing Mode) (SecurityReason)