PHP Bugs Let Local Users Bypass safe_mode and open_basedir Security Controls
|
|
SecurityTracker Alert ID: 1023661 |
|
SecurityTracker URL: http://securitytracker.com/id?1023661
|
|
CVE Reference:
CVE-2010-1129, CVE-2010-1130
(Links to External Site)
|
Updated: Mar 31 2010
|
Original Entry Date: Feb 27 2010
|
Impact:
Modification of system information, Modification of user information
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): prior to 5.2.13
|
Description:
Two vulnerabilities were reported in PHP. A local user can bypass open_basedir and safe_mode security controls.
A local user can exploit a flaw in the safe_mode validation code in the tempnam() function.
A local user may be able to bypass open_basedir/safe_mode controls in the session extension.
Grzegorz Stachowiak reported one of these vulnerabilities.
The original advisory is available at:
http://securityreason.com/securityalert/7008
|
Impact:
A local user can create arbitrary files in writable directories.
|
Solution:
The vendor has issued a fix (5.2.13).
The vendor's advisory is available at:
http://www.php.net/ChangeLog-5.php#5.2.13
|
Vendor URL: www.php.,net/ (Links to External Site)
|
Cause:
Access control error
|
Underlying OS:
Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Sat, 27 Feb 2010 01:33:13 +0000
Subject: PHP
|
http://www.php.net/ChangeLog-5.php#5.2.13
Security Fixes
* Improved LCG entropy. (Rasmus, Samy Kamkar)
* Fixed safe_mode validation inside tempnam() when the directory path does not end with a /). (Martin Jansen)
* Fixed a possible open_basedir/safe_mode bypass in the session extension identified by Grzegorz Stachowiak. (Ilia)
|
|
