PHP copy() safe mode bypass
| php-copy-safemode-bypass (25706) |  Medium Risk |
Description:
PHP could allow a remote attacker to bypass safe mode restrictions, caused by improper validation of user-supplied input by the copy() function. A remote attacker could exploit this vulnerability using the compress.zlib:// file wrapper to bypass security restrictions and gain unauthorized access to arbitrary files on Web servers running an affected version of PHP.
Consequences:
Bypass Security
Remedy:
Upgrade to the latest version of PHP (5.1.3 or later), available from The PHP Group Web site. See References.
References:
- Full-Disclosure Mailing List, Sat Apr 08 2006 - 14:43:07 CDT: copy() Safe Mode Bypass PHP 4.4.2 and 5.1.2.
- PHP CVS Repository: [cvs] Index of /php-src.
- The PHP Group Web site: PHP: Hypertext Preprocessor.
- The PHP Group Web site: PHP 5.1.3. Release Announcement.
- BID-17439: PHP Multiple Safe_Mode and Open_Basedir Restriction Bypass Vulnerabilities
- CVE-2006-1608: The copy function in file.c in PHP 4.4.2 and 5.1.2 allows local users to bypass safe mode and read arbitrary files via a source argument containing a compress.zlib:// URI.
- MDKSA-2006:074: php
- OSVDB ID: 24487: PHP copy() Function Safe Mode Bypass
- SA19599: PHP "phpinfo()" Cross-Site Scripting and Security Bypass
- SECTRACK ID: 1015882: PHP copy() Function Safe Mode Checking Error Lets Users Bypass Safe Mode File Access Restrictions
Platforms Affected:
- Canonical Ubuntu 5.04
- Canonical Ubuntu 5.10
- Canonical Ubuntu 6.06 LTS
- MandrakeSoft Mandrake Linux 2006
- MandrakeSoft Mandrake Linux 2006 X86_64
- MandrakeSoft Mandrake Linux LE2005 X86_64
- MandrakeSoft Mandrake Linux LE2005
- MandrakeSoft Mandrake Linux Corporate Server 3.0
- MandrakeSoft Mandrake Linux Corporate Server 3.0 X86_64
- MandrakeSoft Mandrake Multi Network Firewall 2.0
- PHP PHP 4.0 Beta1
- PHP PHP 4.0 Beta 4 Patch1
- PHP PHP 4.0 Beta2
- PHP PHP 4.0 Beta3
- PHP PHP 4.0 Beta4
- PHP PHP 4.0 RC1
- PHP PHP 4.0 RC2
- PHP PHP 4.0.0
- PHP PHP 4.0.1
- PHP PHP 4.0.2
- PHP PHP 4.0.3
- PHP PHP 4.0.4
- PHP PHP 4.0.5
- PHP PHP 4.0.6
- PHP PHP 4.0.7
- PHP PHP 4.1.0
- PHP PHP 4.1.1
- PHP PHP 4.1.2
- PHP PHP 4.1.3
- PHP PHP 4.2.0
- PHP PHP 4.2.1
- PHP PHP 4.2.2
- PHP PHP 4.2.3
- PHP PHP 4.2.4
- PHP PHP 4.3.0
- PHP PHP 4.3.1
- PHP PHP 4.3.10
- PHP PHP 4.3.11
- PHP PHP 4.3.2
- PHP PHP 4.3.3
- PHP PHP 4.3.4
- PHP PHP 4.3.5
- PHP PHP 4.3.6
- PHP PHP 4.3.7
- PHP PHP 4.3.8
- PHP PHP 4.3.9
- PHP PHP 4.4.0
- PHP PHP 4.4.1
- PHP PHP 4.4.2
- PHP PHP 5.0.0 Beta4
- PHP PHP 5.0.0 RC1
- PHP PHP 5.0.0 RC2
- PHP PHP 5.0.0 RC3
- PHP PHP 5.0.0 Beta1
- PHP PHP 5.0.0 Beta3
- PHP PHP 5.0.0
- PHP PHP 5.0.0 Beta2
- PHP PHP 5.0.1
- PHP PHP 5.0.2
- PHP PHP 5.0.3
- PHP PHP 5.0.4
- PHP PHP 5.0.5
- PHP PHP 5.1.0
- PHP PHP 5.1.1
- PHP PHP 5.1.2
- Turbolinux Turbolinux 10 Desktop
- Turbolinux Turbolinux 10 F...
- Turbolinux Turbolinux 10 Server
- Turbolinux Turbolinux 10 Server x64 Ed
- Turbolinux Turbolinux 7 Server
- Turbolinux Turbolinux 8 Server
- Turbolinux Turbolinux 8 Workstation
- Turbolinux Turbolinux Home
- Turbolinux Turbolinux Multimedia
- Turbolinux Turbolinux Personal
- Turbolinux Turbolinux Appliance Server 1.0 Hosting Ed
- Turbolinux Turbolinux Appliance Server 1.0 Workgroup Ed
- Turbolinux Turbolinux Appliance Server 2.0
Reported:
Apr 08, 2006
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net