Re: CVE request: php 5.3.1 - proc_open() bypass PHP Bug #49026 [was: Re: [oss-security] CVE request: php 5.3.1 update]

[Milen Rangelov <mrangelov () globul bg>]

Hello, 


> CVE-2009-4018

> PHP before 5.3.1 proc_open() can be used to bypass the
> safe_mode_protected_env_vars INI setting. This could be used to alter the
> process environment possibly executing arbitrary code.
>
>
> http://www.php.net/ChangeLog-5.php#5.3.1
> http://bugs.php.net/bug.php?id=49026
> http://marc.info/?l=oss-security&m=125897935330618&w=2
>
> Thanks.
>
> -- 
>    JB




Great to see an almost one-year-old bug getting fixed (and assigned a
CVE ID for that matter).

It was reported back in 2008 but apparently noone took care:

http://www.securityfocus.com/bid/32717/info


Regards,

Milen Rangelov