|
Full Disclosure
mailing list archives
PHP 5.3.1 open_basedir bypass
From: Maksymilian Arciemowicz <cxib () securityreason com>
Date: Fri, 04 Dec 2009 01:27:50 +0100
hi,
in php 5.3.1 security changelog, we can read, that safe_mode bypass in
tempnam() has been already fixed. But safe_mode in 5.3 line is
deprecated. We can understand security fix for open_basedir bypass, but
not for safe_mode in 5.3.
Annoying is the fact, that exploit for bypass open_basedir or safe_mode
in php 5.3.1 is avaliable in
http://securityreason.com/achievement_exploitalert/14
we can use symlink trick like in
http://securityreason.com/achievement_securityalert/70
The issue has been reported to PHP, but did not obtain a meaningful
response.
Very similar issue has been reproted in October 2006 by Stefan Esser
(SREASON:1692)
http://securityreason.com/securityalert/1692
This issue has been fixed.
Small difference, with this is that we need create fake directories
structure.
--
Best Regards,
------------------------
pub 1024D/A6986BD6 2008-08-22
uid Maksymilian Arciemowicz (cxib)
<cxib () securityreason com>
sub 4096g/0889FA9A 2008-08-22
http://securityreason.com
http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
 By Date 
By Thread
Current thread:
- PHP 5.3.1 open_basedir bypass Maksymilian Arciemowicz (Dec 04)
| 
