Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

PHP 5.3.1 open_basedir bypass

From: Maksymilian Arciemowicz <cxib () securityreason com>
Date: Fri, 04 Dec 2009 01:27:50 +0100
hi,

in php 5.3.1 security changelog, we can read, that safe_mode bypass in
tempnam() has been already fixed. But safe_mode in 5.3 line is
deprecated. We can understand security fix for open_basedir bypass, but
not for safe_mode in 5.3.
Annoying is the fact, that exploit for bypass open_basedir or safe_mode
in php 5.3.1 is avaliable in

http://securityreason.com/achievement_exploitalert/14

we can use symlink trick like in

http://securityreason.com/achievement_securityalert/70

The issue has been reported to PHP, but did not obtain a meaningful
response.
Very similar issue has been reproted in October 2006 by Stefan Esser
(SREASON:1692)

http://securityreason.com/securityalert/1692

This issue has been fixed.
Small difference, with this is that we need create fake directories
structure.

-- 
Best Regards,
------------------------
pub   1024D/A6986BD6 2008-08-22
uid                  Maksymilian Arciemowicz (cxib)
<cxib () securityreason com>
sub   4096g/0889FA9A 2008-08-22

http://securityreason.com
http://securityreason.com/key/Arciemowicz.Maksymilian.gpg

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: