PHP符号链接绕过open_basedir安全限制漏洞

PHP是广泛使用的通用目的脚本语言，特别适合于Web开发，可嵌入到HTML中。 PHP在检查和处理文件访问路径时存在漏洞，本地攻击者可能利用此漏洞非授权访问文件。 PHP的openbasedir功能可以禁止脚本访问所配置的基础目录以外的文件。这个检查是在处理文件的PHP函数在实际的打开调用发生之前执行的。在检查和实际打开调用之间有一个时间差，而攻击者可以利用这个时间差更改所检查的路径，指向openbasedir限制所禁止访问的文件。...

CVE-2006-5178

Race condition in the symlink function in PHP 5.1.6 and earlier allows local users to bypass the openbasedir restriction by using a combination of symlink, mkdir, and unlink functions to change the file path after the openbasedir check and before the file is opened by the underlying system, as...

PHP open_basedir with symlink() function Race Condition PoC exploit

/ -------------------------------------------------------- Neo Security Team NST - Advisory 26 - 09/10/06 -------------------------------------------------------- Program: PHP Homepage: http://www.php.net Vulnerable Versions: PHP 3, 4, 5 Risk: High! Impact: Critical Risk -==PHP openbasedir with...

PHP open_basedir protection bypass

By using symbolic links in race period of time it's possible to bypass openbasedir protection...

nst-php-openbasedir.txt

------=Part1404662216477.1160381991193 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline / -------------------------------------------------------- Neo Security Team NST - Advisory 26 - 09/10/06...

FreeBSD : php -- open_basedir Race Condition Vulnerability (edabe438-542f-11db-a5ae-00508d6a62df)

Stefan Esser reports : PHP's openbasedir feature is meant to disallow scripts to access files outside a set of configured base directories. The checks for this are placed within PHP functions dealing with files before the actual open call is performed. Obviously there is a little span of time...

Advisory 08/2006: PHP open_basedir Race Condition Vulnerability

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hardened-PHP Project www.hardened-php.net -= Security Advisory =- Advisory: PHP openbasedir Race Condition Vulnerability Release Date: 2006/10/04 Last Modified: 2006/10/04 Author: Stefan Esser [email protected] Application: PHP 4/5 Not affected:...

php -- open_basedir Race Condition Vulnerability

Stefan Esser reports: PHP's openbasedir feature is meant to disallow scripts to access files outside a set of configured base directories. The checks for this are placed within PHP functions dealing with files before the actual open call is performed. Obviously there is a little span of time...

CVE-2006-4625

PHP 4.x up to 4.4.4 and PHP 5 up to 5.1.6 allows local users to bypass certain Apache HTTP Server httpd.conf options, such as safemode and openbasedir, via the inirestore function, which resets the values to their php.ini Master Value defaults...

PHP 3 < 5 - Ini_Restore() 'Safe_mode' / 'open_basedir' Restriction Bypass

source: https://www.securityfocus.com/bid/19933/info PHP is prone to a 'safemode' and 'openbasedir' restriction-bypass vulnerability. Successful exploits could allow an attacker to access sensitive information or to write files in unauthorized locations. This vulnerability would be an issue in...

[Full-disclosure] [ MDKSA-2006:162 ] - Updated php packages fix vulnerabilities

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mandriva Linux Security Advisory MDKSA-2006:162 http://www.mandriva.com/security/ Package : php Date : September 7, 2006 Affected: 2006.0, Corporate 3.0, Multi Network Firewall 2.0 Problem Description: The 1 fileexists and 2 imapreopen functions in PH...

USN-342-1: PHP vulnerabilities

The sscanf function did not properly check array boundaries. In applications which use sscanf with argument swapping, a remote attacker could potentially exploit this to crash the affected web application or even execute arbitrary code with the application's privileges. CVE-2006-4020 The fileexis...

CVE-2006-4483

The cURL extension files 1 ext/curl/interface.c and 2 ext/curl/streams.c in PHP before 5.1.5 permit the CURLOPTFOLLOWLOCATION option when openbasedir or safemode is enabled, which allows attackers to perform unauthorized actions, possibly related to the realpath cache...

CVE-2006-4481

The 1 fileexists and 2 imapreopen functions in PHP before 5.1.5 do not check for the safemode and openbasedir settings, which allows local users to bypass the settings. NOTE: the errorlog function is covered by CVE-2006-3011, and the imapopen function is covered by CVE-2006-1017...

CVE-2006-4481

CVE-2006-4481 affects PHP prior to 5.1.5. The vulnerability lies in the file_exists and imap_reopen functions not enforcing safe_mode or open_basedir, enabling local bypass of these restrictions. Exploitation details are not provided in the supplied documents. Affected component: PHP core (file_e...

CVE-2006-4483

CVE-2006-4483 affects PHP 5.1.x before 5.1.5, specifically the curl extension files ext/curl/interface.c and ext/curl/streams.c. When open_basedir or safe_mode are enabled, CURLOPT_FOLLOWLOCATION is permitted, which can enable unauthorized actions and may relate to the realpath cache. Public advi...

[slackware-security] php

New php packages are available for Slackware 10.2 and -current to fix security and other issues. More details about these issues may be found on the PHP website: http://www.php.net Here are the details from the Slackware 10.2 ChangeLog: patches/packages/php-4.4.4-i486-1slack10.2.tgz: Upgraded to...

PHP 4.4.4 and PHP 5.1.5 Released

PHP 4.4.4 and PHP 5.1.5 Released 17-Aug-2006 The PHP development team would like to announce the immediate availability of PHP 5.1.5 and 4.4.4. These two releases address a series of security problems that were discovered since the release of PHP 5.1.4 and 4.4.3. The new releases include the...

RHEL 2.1 : php (RHSA-2006:0567)

Updated PHP packages that fix multiple security issues are now available for Red Hat Enterprise Linux 2.1 This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. ...

Moderate: Red Hat Security Advisory: php security update

Updated PHP packages that fix multiple security issues are now available for Red Hat Enterprise Linux 2.1 This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. ...