Zend Platform PHP.INI File Modification Vulnerability
BID:22802
Info
Zend Platform PHP.INI File Modification Vulnerability
| Bugtraq ID: | 22802 |
| Class: | Configuration Error |
| CVE: |
CVE-2007-1369 |
| Remote: | No |
| Local: | Yes |
| Published: | Mar 03 2007 12:00AM |
| Updated: | May 07 2015 06:01PM |
| Credit: | Discovery is credited to Stefan Esser. |
| Vulnerable: |
Zend Zend Platform 2.2.1 Zend Zend Platform 2.2.1a Zend Zend Platform 2.2.1(a) |
| Not Vulnerable: |
Zend Zend Platform 3.0 |
Discussion
Zend Platform PHP.INI File Modification Vulnerability
The Zend Platform is prone to an issue that may let local attackers modify the PHP configuration file ('php.ini'). This issue occurs because the application is installed with an 'ini_modifier' program that may be executed by local users and will bypass the authentication that is required by the application to change the configuration file.
An attacker could add a malicious PHP extension to the configuration or otherwise tamper with PHP configuration directives. A successful exploit could grant the attacker elevated privileges on the computer.
The Zend Platform is prone to an issue that may let local attackers modify the PHP configuration file ('php.ini'). This issue occurs because the application is installed with an 'ini_modifier' program that may be executed by local users and will bypass the authentication that is required by the application to change the configuration file.
An attacker could add a malicious PHP extension to the configuration or otherwise tamper with PHP configuration directives. A successful exploit could grant the attacker elevated privileges on the computer.
Exploit / POC
Solution / Fix
Zend Platform PHP.INI File Modification Vulnerability
Solution:
This issue has been addressed in Zend Platform 3.0.
Solution:
This issue has been addressed in Zend Platform 3.0.
References
Zend Platform PHP.INI File Modification Vulnerability
References:
References: