PHP copy() safe mode bypass
| php-copy-safemode-bypass (25706) |
Description:
PHP could allow a remote attacker to bypass safe mode restrictions, caused by improper validation of user-supplied input by the copy() function. A remote attacker could exploit this vulnerability using the compress.zlib:// file wrapper to bypass security restrictions and gain unauthorized access to arbitrary files on Web servers running an affected version of PHP.
Platforms Affected:
- Canonical, Ubuntu 5.04
- Canonical, Ubuntu 5.10
- Canonical, Ubuntu 6.06 LTS
- MandrakeSoft, Mandrake Linux 2006
- MandrakeSoft, Mandrake Linux 2006 X86_64
- MandrakeSoft, Mandrake Linux LE2005 X86_64
- MandrakeSoft, Mandrake Linux LE2005
- MandrakeSoft, Mandrake Linux Corporate Server 3.0 X86_64
- MandrakeSoft, Mandrake Linux Corporate Server 3.0
- MandrakeSoft, Mandrake Multi Network Firewall 2.0
- PHP, PHP 4.0 RC1
- PHP, PHP 4.0 Beta4
- PHP, PHP 4.0 Beta3
- PHP, PHP 4.0 Beta2
- PHP, PHP 4.0 Beta1
- PHP, PHP 4.0 RC2
- PHP, PHP 4.0 Beta 4 Patch1
- PHP, PHP 4.0.0
- PHP, PHP 4.0.1
- PHP, PHP 4.0.2
- PHP, PHP 4.0.3
- PHP, PHP 4.0.4
- PHP, PHP 4.0.5
- PHP, PHP 4.0.6
- PHP, PHP 4.0.7
- PHP, PHP 4.1.0
- PHP, PHP 4.1.1
- PHP, PHP 4.1.2
- PHP, PHP 4.1.3
- PHP, PHP 4.2.0
- PHP, PHP 4.2.1
- PHP, PHP 4.2.2
- PHP, PHP 4.2.3
- PHP, PHP 4.2.4
- PHP, PHP 4.3.0
- PHP, PHP 4.3.1
- PHP, PHP 4.3.10
- PHP, PHP 4.3.11
- PHP, PHP 4.3.2
- PHP, PHP 4.3.3
- PHP, PHP 4.3.4
- PHP, PHP 4.3.5
- PHP, PHP 4.3.6
- PHP, PHP 4.3.7
- PHP, PHP 4.3.8
- PHP, PHP 4.3.9
- PHP, PHP 4.4.0
- PHP, PHP 4.4.1
- PHP, PHP 4.4.2
- PHP, PHP 5.0.0 RC1
- PHP, PHP 5.0.0 RC2
- PHP, PHP 5.0.0 RC3
- PHP, PHP 5.0.0 Beta3
- PHP, PHP 5.0.0 Beta2
- PHP, PHP 5.0.0 Beta1
- PHP, PHP 5.0.0
- PHP, PHP 5.0.0 Beta4
- PHP, PHP 5.0.1
- PHP, PHP 5.0.2
- PHP, PHP 5.0.3
- PHP, PHP 5.0.4
- PHP, PHP 5.0.5
- PHP, PHP 5.1.0
- PHP, PHP 5.1.1
- PHP, PHP 5.1.2
- Turbolinux, Turbolinux 10 Desktop
- Turbolinux, Turbolinux 10 F...
- Turbolinux, Turbolinux 10 Server
- Turbolinux, Turbolinux 10 Server x64 Ed
- Turbolinux, Turbolinux 7 Server
- Turbolinux, Turbolinux 8 Server
- Turbolinux, Turbolinux 8 Workstation
- Turbolinux, Turbolinux Home
- Turbolinux, Turbolinux Multimedia
- Turbolinux, Turbolinux Personal
- Turbolinux, Turbolinux Appliance Server 1.0 Hosting Ed
- Turbolinux, Turbolinux Appliance Server 1.0 Workgroup Ed
- Turbolinux, Turbolinux Appliance Server 2.0
Remedy:
Upgrade to the latest version of PHP (5.1.3 or later), available from The PHP Group Web site. See References.
Consequences:
Bypass Security
References:
- Full-Disclosure Mailing List, Sat Apr 08 2006 - 14:43:07 CDT, copy() Safe Mode Bypass PHP 4.4.2 and 5.1.2 at http://archives.neohapsis.com/archives/fulldisclosure/2006-04/0172.html.
- PHP CVS Repository, [cvs] Index of /php-src at http://cvs.php.net/viewcvs.cgi/php-src/.
- The PHP Group Web site, PHP: Hypertext Preprocessor at http://www.php.net/.
- The PHP Group Web site, PHP 5.1.3. Release Announcement at http://www.php.net/release_5_1_3.php.
- BID-17439: PHP Multiple Safe_Mode and Open_Basedir Restriction Bypass Vulnerabilities
- CVE-2006-1608: The copy function in file.c in PHP 4.4.2 and 5.1.2 allows local users to bypass safe mode and read arbitrary files via a source argument containing a compress.zlib:// URI.
- MDKSA-2006:074: php
- OSVDB ID: 24487: PHP copy() Function Safe Mode Bypass
- SA19599: PHP "phpinfo()" Cross-Site Scripting and Security Bypass
- SECTRACK ID: 1015882: PHP copy() Function Safe Mode Checking Error Lets Users Bypass Safe Mode File Access Restrictions
Reported:
Apr 08, 2006
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net
