ISS X-Force Database: php-copy-safemode-bypass(25706): PHP copy() safe mode bypass

PHP copy() safe mode bypass

php-copy-safemode-bypass (25706)

Medium Risk

Description:

PHP could allow a remote attacker to bypass safe mode restrictions, caused by improper validation of user-supplied input by the copy() function. A remote attacker could exploit this vulnerability using the compress.zlib:// file wrapper to bypass security restrictions and gain unauthorized access to arbitrary files on Web servers running an affected version of PHP.

Platforms Affected:

Canonical, Ubuntu 5.04
Canonical, Ubuntu 5.10
Canonical, Ubuntu 6.06 LTS
MandrakeSoft, Mandrake Linux 2006
MandrakeSoft, Mandrake Linux 2006 X86_64
MandrakeSoft, Mandrake Linux LE2005 X86_64
MandrakeSoft, Mandrake Linux LE2005
MandrakeSoft, Mandrake Linux Corporate Server 3.0 X86_64
MandrakeSoft, Mandrake Linux Corporate Server 3.0
MandrakeSoft, Mandrake Multi Network Firewall 2.0
PHP, PHP 4.0 RC1
PHP, PHP 4.0 Beta4
PHP, PHP 4.0 Beta3
PHP, PHP 4.0 Beta2
PHP, PHP 4.0 Beta1
PHP, PHP 4.0 RC2
PHP, PHP 4.0 Beta 4 Patch1
PHP, PHP 4.0.0
PHP, PHP 4.0.1
PHP, PHP 4.0.2
PHP, PHP 4.0.3
PHP, PHP 4.0.4
PHP, PHP 4.0.5
PHP, PHP 4.0.6
PHP, PHP 4.0.7
PHP, PHP 4.1.0
PHP, PHP 4.1.1
PHP, PHP 4.1.2
PHP, PHP 4.1.3
PHP, PHP 4.2.0
PHP, PHP 4.2.1
PHP, PHP 4.2.2
PHP, PHP 4.2.3
PHP, PHP 4.2.4
PHP, PHP 4.3.0
PHP, PHP 4.3.1
PHP, PHP 4.3.10
PHP, PHP 4.3.11
PHP, PHP 4.3.2
PHP, PHP 4.3.3
PHP, PHP 4.3.4
PHP, PHP 4.3.5
PHP, PHP 4.3.6
PHP, PHP 4.3.7
PHP, PHP 4.3.8
PHP, PHP 4.3.9
PHP, PHP 4.4.0
PHP, PHP 4.4.1
PHP, PHP 4.4.2
PHP, PHP 5.0.0 RC1
PHP, PHP 5.0.0 RC2
PHP, PHP 5.0.0 RC3
PHP, PHP 5.0.0 Beta3
PHP, PHP 5.0.0 Beta2
PHP, PHP 5.0.0 Beta1
PHP, PHP 5.0.0
PHP, PHP 5.0.0 Beta4
PHP, PHP 5.0.1
PHP, PHP 5.0.2
PHP, PHP 5.0.3
PHP, PHP 5.0.4
PHP, PHP 5.0.5
PHP, PHP 5.1.0
PHP, PHP 5.1.1
PHP, PHP 5.1.2
Turbolinux, Turbolinux 10 Desktop
Turbolinux, Turbolinux 10 F...
Turbolinux, Turbolinux 10 Server
Turbolinux, Turbolinux 10 Server x64 Ed
Turbolinux, Turbolinux 7 Server
Turbolinux, Turbolinux 8 Server
Turbolinux, Turbolinux 8 Workstation
Turbolinux, Turbolinux Home
Turbolinux, Turbolinux Multimedia
Turbolinux, Turbolinux Personal
Turbolinux, Turbolinux Appliance Server 1.0 Hosting Ed
Turbolinux, Turbolinux Appliance Server 1.0 Workgroup Ed
Turbolinux, Turbolinux Appliance Server 2.0

Remedy:

Upgrade to the latest version of PHP (5.1.3 or later), available from The PHP Group Web site. See References.

Consequences:

Bypass Security

References:

Full-Disclosure Mailing List, Sat Apr 08 2006 - 14:43:07 CDT, copy() Safe Mode Bypass PHP 4.4.2 and 5.1.2 at http://archives.neohapsis.com/archives/fulldisclosure/2006-04/0172.html.
PHP CVS Repository, [cvs] Index of /php-src at http://cvs.php.net/viewcvs.cgi/php-src/.
The PHP Group Web site, PHP: Hypertext Preprocessor at http://www.php.net/.
The PHP Group Web site, PHP 5.1.3. Release Announcement at http://www.php.net/release_5_1_3.php.
BID-17439: PHP Multiple Safe_Mode and Open_Basedir Restriction Bypass Vulnerabilities
CVE-2006-1608: The copy function in file.c in PHP 4.4.2 and 5.1.2 allows local users to bypass safe mode and read arbitrary files via a source argument containing a compress.zlib:// URI.
MDKSA-2006:074: php
OSVDB ID: 24487: PHP copy() Function Safe Mode Bypass
SA19599: PHP "phpinfo()" Cross-Site Scripting and Security Bypass
SECTRACK ID: 1015882: PHP copy() Function Safe Mode Checking Error Lets Users Bypass Safe Mode File Access Restrictions

Reported:

Apr 08, 2006

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page