Title: PHP Safedir Restriction Bypass Vulnerabilities
Severity: MODERATE
Description:
PHP is a general-purpose scripting language that is especially suited for Web development and can be embedded into HTML. The 'safedir' is a feature to limit access to a specific base directory.
PHP is prone to multiple vulnerabilities that permit an attacker to bypass the 'safedir' directory restriction.
The 'imagegif()', 'imagepng()' and 'imagejpeg()' functions, as part of the GD extension, permit an attacker to specify a full directory path to a local file. An attacker can exploit this vulnerability to execute arbitrary files located on the vulnerable system, or retrieve the contents of arbitrary files, all in the security context of the Web server process.
The 'curl_init()' function is susceptible to directory traversal attacks. An attacker can exploit this vulnerability to retrieve the contents of an arbitrary file on the affected system in the security context of the Web server process.
Information obtained may aid in further attacks against the affected system; other attacks are also possible.
These issues have been addressed in the latest CVS version.
Affected Products:
- PHP PHP 5.0.5
References:
- Ilia Alshanetsky: cvs: php-src(PHP_5_2) /ext/standard html.c
- PHP: PHP 5.1.0 ChangeLog
- PHP: PHP Homepage
- PHP: Proposed 5.1 Release Announcement
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
