PHP 5.2.1 - 'Session.Save_Path()' TMPDIR open_basedir Restriction Bypass

source: https://www.securityfocus.com/bid/23183/info PHP is prone to a 'openbasedir' restriction-bypass vulnerability due to a design error. Successful exploits could allow an attacker to access sensitive information or to write files in unauthorized locations. This vulnerability would be an issu...

PHP compress.bzip2:// URL safe mode protection bypass

Safe mode and openbasedir limitations are not checked...

MOPB-21-2007:PHP compress.bzip2:// URL Wrapper safemode and open_basedir Bypass Vulnerability

Summary The compress.bzip2:// URL Wrapper defined by the bz2 extension does not perform any safemode or openbasedir checks and therefore allows access to archives outside the basedir or safemode restrictions. Affected versions Affected is PHP = 5.2.1 Detailed information No details needed Proof o...

CVE-2007-1460

The zip:// URL wrapper provided by the PECL zip extension in PHP before 4.4.7, and 5.2.0 and 5.2.1, does not implement safemode or openbasedir checks, which allows remote attackers to read ZIP archives located outside of the intended directories...

CVE-2007-1460

The zip:// URL wrapper provided by the PECL zip extension in PHP before 4.4.7, and 5.2.0 and 5.2.1, does not implement safemode or openbasedir checks, which allows remote attackers to read ZIP archives located outside of the intended directories...

CVE-2007-1460

CVE-2007-1460 affects the PHP zip extension’s zip:// wrapper prior to PHP 4.4.7 and before 5.2.2 (including 5.2.0/5.2.1). The issue: safemode and open_basedir checks are not applied by the wrapper, allowing remote attackers to read ZIP archives located outside the intended directories. Impact per...

CVE-2007-1460

The zip:// URL wrapper provided by the PECL zip extension in PHP before 4.4.7, and 5.2.0 and 5.2.1, does not implement safemode or openbasedir checks, which allows remote attackers to read ZIP archives located outside of the intended directories...

Buffer overflow

Zend Platform 2.2.3 and earlier has incorrect ownership for scd.sh and certain other files, which allows local users to gain root privileges by modifying the files. NOTE: this only occurs when safemode and openbasedir are disabled; other settings require leverage for other vulnerabilities...

CVE-2007-1370

Zend Platform 2.2.3 and earlier has incorrect ownership for scd.sh and certain other files, which allows local users to gain root privileges by modifying the files. NOTE: this only occurs when safemode and openbasedir are disabled; other settings require leverage for other vulnerabilities...

CVE-2007-1370

CVE-2007-1370 affects Zend Platform 2.2.3 and earlier, where incorrect file ownership (notably for scd.sh and related files) permits local users to gain root privileges by modifying those files. The issue occurs when safe_mode and open_basedir are disabled; other configurations may require differ...

Zend Platform不安全文件访问权限漏洞

Zend Platform是企业级PHP应用的运行时平台环境。 Zend Platform的文件安装存在权限配置错误，本地攻击者可能利用此漏洞获取权限提升。 Zend Platform所安装的一些二进制程序和SHELL脚本没有设置安全的文件访问权限，导致Web服务器用户或安装Zend Platform的用户帐号错误地拥有了某些文件。如果入侵了Web服务器或安装Zend Platform的用户帐号的话，攻击者就可以通过替换或编辑文件获得权限提升，在下一次服务器重启时以root用户权限执行文件。 Zend Platform = 2.2.3 ----...

Mandrake Linux Security Advisory : php (MDKSA-2006:185)

PHP 4.x up to 4.4.4 and PHP 5 up to 5.1.6 allows local users to bypass certain Apache HTTP Server httpd.conf options, such as safemode and openbasedir, via the inirestore function, which resets the values to their php.ini Master Value defaults. CVE-2006-4625 A race condition in the symlink functi...

Mandrake Linux Security Advisory : php (MDKSA-2007:038)

PHP 5.2.0 and 4.4 allows local users to bypass safemode and openbasedir restrictions via a malicious path and a null byte before a ';' in a sessionsavepath argument, followed by an allowed path, which causes a parsing inconsistency in which PHP validates the allowed path but sets session.savepath...

Mandrake Linux Security Advisory : php (MDKSA-2006:196)

The Hardened-PHP Project discovered buffer overflows in htmlentities/htmlspecialchars internal routines to the PHP Project. The purpose of these functions is to be filled with user input. The overflow can only be when UTF-8 is used CVE-2006-5465 Unspecified vulnerabilities in PHP, probably before...

FreeBSD : php -- multiple vulnerabilities (7fcf1727-be71-11db-b2ec-000c6ec775d9)

Multiple vulnerabilities have been found in PHP, including : buffer overflows, stack overflows, format string, and information disclosure vulnerabilities. The session extension contained safemode and openbasedir bypasses, but the FreeBSD Security Officer does not consider these real security...

CVE-2007-0905

PHP before 5.2.1 allows attackers to bypass safemode and openbasedir restrictions via unspecified vectors in the session extension. NOTE: it is possible that this issue is a duplicate of CVE-2006-6383...

CVE-2007-0905

CVE-2007-0905 is described by Red Hat as a PHP vulnerability where PHP before 5.2.1 allows attackers to bypass safe_mode and open_basedir restrictions via unspecified vectors in the session extension. The description notes this may be a duplicate of CVE-2006-6383. The issue affects PHP prior to 5...

php -- multiple vulnerabilities

Multiple vulnerabilities have been found in PHP, including: buffer overflows, stack overflows, format string, and information disclosure vulnerabilities. The session extension contained safemode and openbasedir bypasses, but the FreeBSD Security Officer does not consider these real security...

PHP Session.Save_Path() Safe_Mode和Open_Basedir限制绕过漏洞

PHP是一款流行的网络编程语言。 PHP在处理会话信息的功能函数实现上存在漏洞，远程攻击者可能利用漏洞获得敏感信息或向非授权位置写入文件。 session.savepath可以设置在iniset, sessionsavepath函数中，在session.savepath必须包含保存tmp文件路径的数据，但session.savepath的语法为： /PATH 或者 N;/PATH N是字符串。 如： 1. sessionsavepath"/DIR/WHERE/YOU/HAVE/ACCESS" 2. sessionsavepath"5;/DIR/WHERE/YOU/HAVE/ACCESS"...

CVE-2006-6383

CVE-2006-6383 affects PHP 5.2.0 and 4.4. It allows local users to bypass safe_mode and open_basedir restrictions via a malicious path and a null byte before a ";" in a session_save_path argument, followed by an allowed path, causing PHP to validate the allowed path but set session.save_path to th...