Title: PHP Multiple Safe_Mode and Open_Basedir Restriction Bypass Vulnerabilities

Severity: MODERATE

Description:

PHP is a general-purpose scripting language that is especially suited for web development and can be embedded into HTML.

PHP is prone to multiple ''safe_mode'' and ''open_basedir'' restriction-bypass vulnerabilities. Successful exploits could allow an attacker to access sensitive information or to write files in unauthorized locations.

These vulnerabilities would be an issue in shared-hosting configurations where multiple users can create and execute arbitrary PHP script code, when the 'safe_mode' and 'open_basedir' restrictions are expected to isolate the users from each other.

The first issue is a 'safe_mode' bypass vulnerability in the 'copy()' function. When the source argument includes the 'compress.zlib://' prefix, attackers may specify arbitrary file locations on the computer without the 'safe_mode' restriction being validated. This allows attackers to gain access to arbitrary files on the hosting computer with the privileges of the hosting webserver.

The second issue is a 'open_basedir' bypass vulnerability in the 'tempnam()' function. The second argument may include '../' directory-traversal sequences to create files in arbitrary locations with the privileges of the hosting webserver. This allows attackers to create files in arbitrary locations outside of the configured 'open_basedir' path.

These issues are reported to affect PHP versions 4.4.2 and 5.1.2; other versions may also be vulnerable.

Affected Products:

Apple Mac OS X 10.0.0
Apple Mac OS X 10.0.1
Apple Mac OS X 10.0.2
Apple Mac OS X 10.0.3
Apple Mac OS X 10.0.4
Apple Mac OS X 10.1.0
Apple Mac OS X 10.1.0
Apple Mac OS X 10.1.1
Apple Mac OS X 10.1.2
Apple Mac OS X 10.1.3
Apple Mac OS X 10.1.4
Apple Mac OS X 10.1.5
Avaya Converged Communications Server 2.0.0
Avaya Intuity LX
Avaya Message Networking
Avaya Messaging Storage Server
Avaya Messaging Storage Server MM3.0
Avaya S8300 R2.0.0
Avaya S8300 R2.0.1
Avaya S8500 R2.0.0
Avaya S8500 R2.0.1
Avaya S8700 R2.0.0
Avaya S8700 R2.0.1
Avaya S8710 R2.0.0
Avaya S8710 R2.0.1
Caldera OpenLinux Server 3.1.0
Caldera OpenLinux Server 3.1.1
Caldera OpenLinux Workstation 3.1.0
Caldera OpenLinux Workstation 3.1.1
Compaq Compaq Secure Web Server PHP 1.0.0
Conectiva Linux 6.0.0
Conectiva Linux 7.0.0
Debian Linux 2.2.0
Debian Linux 2.2.0 68k
Debian Linux 2.2.0 IA-32
Debian Linux 2.2.0 alpha
Debian Linux 2.2.0 arm
Debian Linux 2.2.0 powerpc
Debian Linux 2.2.0 sparc
Debian Linux 3.0.0 alpha
Debian Linux 3.0.0 arm
Debian Linux 3.0.0 hppa
Debian Linux 3.0.0 ia-32
Debian Linux 3.0.0 ia-64
Debian Linux 3.0.0 m68k
Debian Linux 3.0.0 mips
Debian Linux 3.0.0 mipsel
Debian Linux 3.0.0 ppc
Debian Linux 3.0.0 s/390
Debian Linux 3.0.0 sparc
EnGarde Secure Linux 1.0.1
Gentoo Linux
Gentoo Linux 1.2.0
Gentoo Linux 1.4.0 _rc1
Guardian Digital Engarde Secure Linux 1.0.1
HP Secure OS software for Linux 1.0.0
Linux kernel 2.4.19
Linux kernel 2.4.21
Linux kernel 2.6.5
MandrakeSoft Corporate Server 1.0.1
MandrakeSoft Corporate Server 2.1.0
MandrakeSoft Corporate Server 2.1.0 x86_64
MandrakeSoft Corporate Server 3.0.0
MandrakeSoft Corporate Server 3.0.0 x86_64
MandrakeSoft Linux Mandrake 10.0.0
MandrakeSoft Linux Mandrake 10.0.0 amd64
MandrakeSoft Linux Mandrake 10.1.0
MandrakeSoft Linux Mandrake 10.1.0 x86_64
MandrakeSoft Linux Mandrake 10.2.0
MandrakeSoft Linux Mandrake 10.2.0 x86_64
MandrakeSoft Linux Mandrake 2006.0.0
MandrakeSoft Linux Mandrake 2006.0.0 x86_64
MandrakeSoft Linux Mandrake 7.1.0
MandrakeSoft Linux Mandrake 7.2.0
MandrakeSoft Linux Mandrake 8.0.0
MandrakeSoft Linux Mandrake 8.0.0 ppc
MandrakeSoft Linux Mandrake 8.1.0
MandrakeSoft Linux Mandrake 8.1.0 ia64
MandrakeSoft Linux Mandrake 8.2.0
MandrakeSoft Linux Mandrake 8.2.0 ppc
MandrakeSoft Linux Mandrake 9.0.0
MandrakeSoft Linux Mandrake 9.1.0
MandrakeSoft Linux Mandrake 9.1.0 ppc
MandrakeSoft Multi Network Firewall 2.0.0
MandrakeSoft Single Network Firewall 7.2.0
OpenPKG OpenPKG 1.1.0
OpenPKG OpenPKG Current
PHP PHP 4.0.0 0
PHP PHP 4.0.1
PHP PHP 4.0.1 pl1
PHP PHP 4.0.1 pl2
PHP PHP 4.0.2
PHP PHP 4.0.3
PHP PHP 4.0.3 pl1
PHP PHP 4.0.4
PHP PHP 4.0.5
PHP PHP 4.0.6
PHP PHP 4.0.7
PHP PHP 4.0.7 RC1
PHP PHP 4.0.7 RC2
PHP PHP 4.0.7 RC3
PHP PHP 4.1.0 .0
PHP PHP 4.1.1
PHP PHP 4.1.2
PHP PHP 4.2.0 -dev
PHP PHP 4.2.0 .0
PHP PHP 4.2.1
PHP PHP 4.2.2
PHP PHP 4.2.3
PHP PHP 4.3.0
PHP PHP 4.3.1
PHP PHP 4.3.10
PHP PHP 4.3.11
PHP PHP 4.3.2
PHP PHP 4.3.3
PHP PHP 4.3.4
PHP PHP 4.3.5
PHP PHP 4.3.6
PHP PHP 4.3.7
PHP PHP 4.3.8
PHP PHP 4.3.9
PHP PHP 4.4.0 .0
PHP PHP 4.4.1
PHP PHP 4.4.2
PHP PHP 5.0.0 .0
PHP PHP 5.0.0 candidate 1
PHP PHP 5.0.0 candidate 2
PHP PHP 5.0.0 candidate 3
PHP PHP 5.0.1
PHP PHP 5.0.2
PHP PHP 5.0.3
PHP PHP 5.0.4
PHP PHP 5.0.5
PHP PHP 5.1.0
PHP PHP 5.1.1
PHP PHP 5.1.2
PHP PHP 5.1.3-RC1
RedHat Advanced Workstation for the Itanium Processor 2.1.0
RedHat Advanced Workstation for the Itanium Processor 2.1.0 IA64
RedHat Desktop 3.0.0
RedHat Desktop 4.0.0
RedHat Enterprise Linux AS 2.1
RedHat Enterprise Linux AS 2.1 IA64
RedHat Enterprise Linux AS 3
RedHat Enterprise Linux AS 4
RedHat Enterprise Linux ES 2.1
RedHat Enterprise Linux ES 2.1 IA64
RedHat Enterprise Linux ES 3
RedHat Enterprise Linux ES 4
RedHat Enterprise Linux WS 2.1
RedHat Enterprise Linux WS 2.1 IA64
RedHat Enterprise Linux WS 3
RedHat Enterprise Linux WS 4
RedHat Fedora Core3
RedHat Linux 6.2.0
RedHat Linux 6.2.0 alpha
RedHat Linux 6.2.0 i386
RedHat Linux 6.2.0 sparc
RedHat Linux 7.0.0
RedHat Linux 7.0.0 alpha
RedHat Linux 7.0.0 i386
RedHat Linux 7.1.0
RedHat Linux 7.1.0 alpha
RedHat Linux 7.1.0 i386
RedHat Linux 7.1.0 ia64
RedHat Linux 7.2.0
RedHat Linux 7.2.0 i386
RedHat Linux 7.2.0 ia64
RedHat Linux 8.0.0
RedHat Linux 8.0.0 i386
RedHat Stronghold 4.0.0
S.u.S.E. Linux 6.4.0
S.u.S.E. Linux 6.4.0 alpha
S.u.S.E. Linux 6.4.0 i386
S.u.S.E. Linux 6.4.0 ppc
S.u.S.E. Linux 7.0.0
S.u.S.E. Linux 7.0.0 alpha
S.u.S.E. Linux 7.0.0 i386
S.u.S.E. Linux 7.0.0 ppc
S.u.S.E. Linux 7.0.0 sparc
S.u.S.E. Linux 7.1.0
S.u.S.E. Linux 7.1.0 alpha
S.u.S.E. Linux 7.1.0 ppc
S.u.S.E. Linux 7.1.0 sparc
S.u.S.E. Linux 7.1.0 x86
S.u.S.E. Linux 7.2.0
S.u.S.E. Linux 7.2.0 i386
S.u.S.E. Linux 7.3.0
S.u.S.E. Linux 7.3.0 i386
S.u.S.E. Linux 7.3.0 ppc
S.u.S.E. Linux 7.3.0 sparc
S.u.S.E. Linux 8.0.0
S.u.S.E. Linux 8.0.0 i386
S.u.S.E. Linux 8.1.0
S.u.S.E. Linux Enterprise Server 8
S.u.S.E. Linux Enterprise Server 9
S.u.S.E. Linux Enterprise Server for S/390
S.u.S.E. Linux Enterprise Server for S/390 9.0.0
S.u.S.E. Linux Personal 10.0.0 OSS
S.u.S.E. Linux Personal 8.2.0
S.u.S.E. Linux Personal 9.0.0
S.u.S.E. Linux Personal 9.0.0 x86_64
S.u.S.E. Linux Personal 9.1.0
S.u.S.E. Linux Personal 9.1.0 x86_64
S.u.S.E. Linux Personal 9.2.0
S.u.S.E. Linux Personal 9.2.0 x86_64
S.u.S.E. Linux Personal 9.3.0
S.u.S.E. Linux Personal 9.3.0 x86_64
S.u.S.E. Linux Professional 10.0.0
S.u.S.E. Linux Professional 10.0.0 OSS
S.u.S.E. Linux Professional 9.1.0
S.u.S.E. Linux Professional 9.1.0 x86_64
S.u.S.E. Linux Professional 9.2.0
S.u.S.E. Linux Professional 9.2.0 x86_64
S.u.S.E. Linux Professional 9.3.0
S.u.S.E. Linux Professional 9.3.0 x86_64
S.u.S.E. UnitedLinux 1.0.0
SGI ProPack 3.0.0 SP6
Slackware Linux 8.1.0
Sun Cobalt Control Station 4100CS
Sun Cobalt Qube3 4000WG
Sun Cobalt Qube3 Japanese 4000WGJ
Sun Cobalt Qube3 Japanese w/ Caching and RAID 4100WGJ
Sun Cobalt Qube3 Japanese w/Caching 4010WGJ
Sun Cobalt Qube3 w/ Caching and RAID 4100WG
Sun Cobalt Qube3 w/Caching 4010WG
Sun Cobalt RaQ 550
Sun Cobalt RaQ XTR 3500R
Sun Cobalt RaQ XTR Japanese 3500R-ja
Sun Cobalt RaQ4 3001R
Sun Cobalt RaQ4 Japanese RAID 3100R-ja
Sun Cobalt RaQ4 RAID 3100R
Sun LX50
Trustix Secure Enterprise Linux 2.0.0
Trustix Secure Linux 1.5.0
Trustix Secure Linux 2.0.0
Trustix Secure Linux 2.1.0
Trustix Secure Linux 2.2.0
Turbolinux Appliance Server 1.0.0 Hosting Edition
Turbolinux Appliance Server 1.0.0 Workgroup Edition
Turbolinux Appliance Server 2.0
Turbolinux Appliance Server Hosting Edition 1.0.0
Turbolinux Appliance Server Workgroup Edition 1.0.0
Turbolinux Home
Turbolinux Multimedia
Turbolinux Personal
Turbolinux Turbolinux 10 F...
Turbolinux Turbolinux Desktop 10.0.0
Turbolinux Turbolinux Server 10.0.0
Turbolinux Turbolinux Server 10.0.0 x86
Turbolinux Turbolinux Server 7.0.0
Turbolinux Turbolinux Server 7.0.0
Turbolinux Turbolinux Server 8.0.0
Turbolinux Turbolinux Server 8.0.0
Turbolinux Turbolinux Workstation 7.0.0
Turbolinux Turbolinux Workstation 8.0.0
Turbolinux Turbolinux Workstation 8.0.0
Ubuntu Ubuntu Linux 4.1.0 ia32
Ubuntu Ubuntu Linux 4.1.0 ia64
Ubuntu Ubuntu Linux 4.1.0 ppc
Ubuntu Ubuntu Linux 5.0.0 4 amd64
Ubuntu Ubuntu Linux 5.0.0 4 i386
Ubuntu Ubuntu Linux 5.0.0 4 powerpc
Ubuntu Ubuntu Linux 5.10.0 amd64
Ubuntu Ubuntu Linux 5.10.0 i386
Ubuntu Ubuntu Linux 5.10.0 powerpc
Ubuntu Ubuntu Linux 5.10.0 sparc
Ubuntu Ubuntu Linux 6.06 LTS amd64
Ubuntu Ubuntu Linux 6.06 LTS i386
Ubuntu Ubuntu Linux 6.06 LTS powerpc
Ubuntu Ubuntu Linux 6.06 LTS sparc

References:

Avaya: ASA-2006-175 - php security update (RHSA-2006-0568)
Avaya: ASA-2006-179 - php security update (RHSA-2006-0567)
PHP: PHP Homepage
PHP: PHP NEWS
Red Hat: RHSA-2006:0549-7 - php security update for Stronghold
Red Hat: RHSA-2006:0567-7 - php security update
Red Hat: RHSA-2006:0568-8 - php security update

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.

J-Security Center

Title: PHP Multiple Safe_Mode and Open_Basedir Restriction Bypass Vulnerabilities

Severity: MODERATE

Description:

Affected Products:

References: