PHP .htaccess security bypass

php-htaccess-security-bypass (35102)

Medium Risk

Description:

PHP could allow a remote attacker to bypass security restrictions, caused by an error in the session_save_path() and ini_set() functions. A remote attacker could exploit this vulnerability by using directives in the .htaccess file to bypass open_basedir or safe_mode restrictions to gain unauthorized access and modify configuration settings.

Platforms Affected:

• Apple, Mac OS X 10.4.11
• Apple, Mac OS X Server 10.4.11
• Apple, Mac OS X Server 10.5.2
• Gentoo, Linux
• HP, HP-UX B.11.11
• HP, HP-UX B.11.23
• HP, HP-UX B.11.31
• PHP, PHP 4.4.7 and prior
• PHP, PHP 5.2.3 and prior

Remedy:

Upgrade to the latest version of PHP (5.2.4 or later), available from the PHP Web site. See References.

For Mac OS X:
Apply Security Update 2008-002, available from the Apple Web site. See References.

For other distributions:
Apply the appropriate update for your system. See References.

Consequences:

Bypass Security

References:

• Apple Web site, About Security Update 2008-002 at http://docs.info.apple.com/article.html?artnum=307562.
• HPSBUX02332 SSRT080056 rev.1, HP-UX running Apache with PHP, Remote Denial of Service (DoS), Gain Extended Privileges at http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c01438646.
• PHP Web site, PHP: Hypertext Preprocessor at http://www.php.net/.
• SecurityReason Advisory, SecurityAlert : 45, PHP 5.2.3 PHP 4.4.7, htaccess safemode and open_basedir Bypass at http://securityreason.com/achievement_securityalert/45.
• SecurityReason Advisory, SecurityAlert : 47, PHP 5.2.4 mail.force_extra_parameters unsecure at http://securityreason.com/achievement_securityalert/47.
• ASA-2008-053: HP-UX Running Apache Remote Execution of Arbitrary Code (HPSBUX02308)
• ASA-2008-198: HP-UX running Apache with PHP Remote Denial of Service (DoS) Gain Extended Privileges (HPSBUX02332)
• BID-24661: PHP .Htaccess Safe_Mode and Open_Basedir Restriction-Bypass Vulnerability
• BID-25498: PHP 5.2.3 and Prior Versions Multiple Vulnerabilities
• CVE-2007-3378: The (1) session_save_path, (2) ini_set, and (3) error_log functions in PHP 4.4.7 and earlier, and PHP 5 5.2.3 and earlier, when invoked from a .htaccess file, allow remote attackers to bypass safe_mode and open_basedir restrictions and possibly execute arbitrary commands, as demonstrated using (a) php_value, (b) php_flag, and (c) directives in .htaccess.
• FrSIRT/ADV-2007-3023: PHP Multiple Function and Extension Code Execution and Security Bypass Issues
• FrSIRT/ADV-2008-0398: HP-UX Security Update Fixes Apache Code Execution Vulnerabilities
• FrSIRT/ADV-2008-0924: Apple Mac OS X Command Execution and Security Bypass Issues
• GLSA-200710-02: PHP: Multiple vulnerabilities
• SA26642: PHP Multiple Vulnerabilities
• SA27648: PHP Multiple Vulnerabilities
• SA28318: PHP Multiple Vulnerabilities
• SA29420: Mac OS X Security Update Fixes Multiple Vulnerabilities

Reported:

Jun 27, 2007

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page