PHP imap_open() Function open_basedir/safe_mode Bypass

2006-02-28T06:47:36
ID OSVDB:23535
Type osvdb
Reporter (ced.clerget@free.fr)
Modified 2006-02-28T06:47:36

Description

Vulnerability Description

PHP contains a flaw that may allow a malicious local user to view arbitrary files and create or modify existing files with the same level of privelege as the web server. The issue is triggered when a script misuses the imap_open() function. It is possible that the flaw may allow reading arbitrary files or creating, renaming, or deleting existing files resulting in a loss of confidentiality or integrity.

Technical Description

The imap_open() function itself only provides the ability to view arbitrary files, resulting in a loss of confidentiality. However, it can be leveraged by other functions, such as imap_createmailbox, to obtain write access to any part of the filesystem the web server has priveleges, resulting in a loss of integrity.

Solution Description

Upgrade to version 4.4.4, 5.1.5 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

PHP contains a flaw that may allow a malicious local user to view arbitrary files and create or modify existing files with the same level of privelege as the web server. The issue is triggered when a script misuses the imap_open() function. It is possible that the flaw may allow reading arbitrary files or creating, renaming, or deleting existing files resulting in a loss of confidentiality or integrity.

References:

Vendor Specific News/Changelog Entry: http://www.php.net/release_4_4_4.php Vendor Specific News/Changelog Entry: http://www.php.net/release_5_1_5.php Vendor Specific Advisory URL Secunia Advisory ID:18694 Secunia Advisory ID:21050 Related OSVDB ID: 23536 Related OSVDB ID: 23534 Related OSVDB ID: 23537 Related OSVDB ID: 23538 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-02/0538.html ISS X-Force ID: 24964 FrSIRT Advisory: ADV-2006-0772 CVE-2006-1017