PHP Realpath() Safe_Mode and Open_Basedir Restriction Bypass Vulnerability
BID:24259
Info
PHP Realpath() Safe_Mode and Open_Basedir Restriction Bypass Vulnerability
| Bugtraq ID: | 24259 |
| Class: | Design Error |
| CVE: |
CVE-2007-3007 |
| Remote: | No |
| Local: | Yes |
| Published: | May 24 2007 12:00AM |
| Updated: | Sep 19 2007 09:30PM |
| Credit: | The discoverer of this issue is unknown. |
| Vulnerable: |
Trustix Secure Linux 3.0.5 Trustix Secure Linux 3.0 Trustix Secure Linux 2.0 Trustix Operating System Enterprise Server 2.0 SuSE SUSE Linux Enterprise Server 8 SuSE SUSE Linux Enterprise SDK 10.SP1 S.u.S.E. UnitedLinux 1.0 S.u.S.E. SuSE Linux Standard Server 8.0 S.u.S.E. SuSE Linux School Server for i386 S.u.S.E. SUSE LINUX Retail Solution 8.0 S.u.S.E. SuSE Linux Openexchange Server 4.0 S.u.S.E. openSUSE 10.2 S.u.S.E. Open-Enterprise-Server 0 S.u.S.E. Novell Linux POS 9 S.u.S.E. Linux Enterprise Server 9 S.u.S.E. Linux Enterprise Server 10.SP1 S.u.S.E. Linux 10.1 x86-64 S.u.S.E. Linux 10.1 x86 S.u.S.E. Linux 10.1 ppc S.u.S.E. Linux 10.0 x86-64 S.u.S.E. Linux 10.0 x86 S.u.S.E. Linux 10.0 ppc Red Hat Fedora Core7 PHP PHP 5.2.2 PHP PHP 5.2.1 PHP PHP 5.1.6 PHP PHP 5.1.5 PHP PHP 5.1.4 PHP PHP 5.1.3 -RC1 PHP PHP 5.1.3 PHP PHP 5.1.2 PHP PHP 5.1.1 PHP PHP 5.1 PHP PHP 5.0.5 PHP PHP 5.0.4 PHP PHP 5.0.3 PHP PHP 5.0.2 PHP PHP 5.0.1 PHP PHP 5.0 candidate 3 PHP PHP 5.0 candidate 2 PHP PHP 5.0 candidate 1 PHP PHP 5.0 .0 PHP PHP 5.2 |
| Not Vulnerable: |
PHP PHP 5.2.3 |
Discussion
PHP Realpath() Safe_Mode and Open_Basedir Restriction Bypass Vulnerability
PHP is prone to a 'safe_mode' and 'open_basedir' restriction-bypass vulnerability. Successful exploits could allow an attacker to determine the presence of files in unauthorized locations.
This vulnerability would be an issue in shared-hosting configurations where multiple users can create and execute arbitrary PHP script code; in such cases, the 'safe_mode' and 'open_basedir' restrictions are expected to isolate users from each other.
Versions prior to PHP 5.2.3 are vulnerable to this issue.
PHP is prone to a 'safe_mode' and 'open_basedir' restriction-bypass vulnerability. Successful exploits could allow an attacker to determine the presence of files in unauthorized locations.
This vulnerability would be an issue in shared-hosting configurations where multiple users can create and execute arbitrary PHP script code; in such cases, the 'safe_mode' and 'open_basedir' restrictions are expected to isolate users from each other.
Versions prior to PHP 5.2.3 are vulnerable to this issue.
Exploit / POC
PHP Realpath() Safe_Mode and Open_Basedir Restriction Bypass Vulnerability
Attackers may exploit these issues with standard PHP code.
Attackers may exploit these issues with standard PHP code.
Solution / Fix
PHP Realpath() Safe_Mode and Open_Basedir Restriction Bypass Vulnerability
Solution:
The vendor released PHP 5.2.3 to address this and other issues. Please see the references for more information.
PHP PHP 5.2
PHP PHP 5.0 candidate 2
PHP PHP 5.0 .0
PHP PHP 5.0 candidate 3
PHP PHP 5.0 candidate 1
PHP PHP 5.0.1
PHP PHP 5.0.2
PHP PHP 5.0.3
PHP PHP 5.0.4
PHP PHP 5.0.5
PHP PHP 5.1
PHP PHP 5.1.1
PHP PHP 5.1.2
PHP PHP 5.1.3 -RC1
PHP PHP 5.1.3
PHP PHP 5.1.4
PHP PHP 5.1.5
PHP PHP 5.1.6
PHP PHP 5.2.1
PHP PHP 5.2.2
Solution:
The vendor released PHP 5.2.3 to address this and other issues. Please see the references for more information.
PHP PHP 5.2
-
PHP PHP 5.2.3
http://www.php.net/downloads.php#v5
PHP PHP 5.0 candidate 2
-
PHP PHP 5.2.3
http://www.php.net/downloads.php#v5
PHP PHP 5.0 .0
-
PHP PHP 5.2.3
http://www.php.net/downloads.php#v5
PHP PHP 5.0 candidate 3
-
PHP PHP 5.2.3
http://www.php.net/downloads.php#v5
PHP PHP 5.0 candidate 1
-
PHP PHP 5.2.3
http://www.php.net/downloads.php#v5
PHP PHP 5.0.1
-
PHP PHP 5.2.3
http://www.php.net/downloads.php#v5
PHP PHP 5.0.2
-
PHP PHP 5.2.3
http://www.php.net/downloads.php#v5
PHP PHP 5.0.3
-
PHP PHP 5.2.3
http://www.php.net/downloads.php#v5
PHP PHP 5.0.4
-
PHP PHP 5.2.3
http://www.php.net/downloads.php#v5
PHP PHP 5.0.5
-
PHP PHP 5.2.3
http://www.php.net/downloads.php#v5
PHP PHP 5.1
-
PHP PHP 5.2.3
http://www.php.net/downloads.php#v5
PHP PHP 5.1.1
-
PHP PHP 5.2.3
http://www.php.net/downloads.php#v5
PHP PHP 5.1.2
-
PHP PHP 5.2.3
http://www.php.net/downloads.php#v5
PHP PHP 5.1.3 -RC1
-
PHP PHP 5.2.3
http://www.php.net/downloads.php#v5
PHP PHP 5.1.3
-
PHP PHP 5.2.3
http://www.php.net/downloads.php#v5
PHP PHP 5.1.4
-
PHP PHP 5.2.3
http://www.php.net/downloads.php#v5
PHP PHP 5.1.5
-
PHP PHP 5.2.3
http://www.php.net/downloads.php#v5
PHP PHP 5.1.6
-
PHP PHP 5.2.3
http://www.php.net/downloads.php#v5
PHP PHP 5.2.1
-
PHP PHP 5.2.3
http://www.php.net/downloads.php#v5
PHP PHP 5.2.2
-
PHP PHP 5.2.3
http://www.php.net/downloads.php#v5
References
PHP Realpath() Safe_Mode and Open_Basedir Restriction Bypass Vulnerability
References:
References:
- #41492 [NEW]: open_basedir bypass via readfile() (Bugs Dot Php Dot Net At Chsc Dot Dk)
- PHP 5 ChangeLog (PHP)
- PHP 5.2.3 Release Announcement (PHP)
- SUSE Security Announcement SUSE-SA:2007:044 (SUSE)