lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 3 Dec 2009 17:10:42 -0700
From: cxib@...urityreason.com
To: bugtraq@...urityfocus.com
Subject: PHP 5.3.1 open_basedir bypass

hi,

in php 5.3.1 security changelog, we can read, that safe_mode bypass in tempnam() has been already fixed. But safe_mode in 5.3 line is deprecated. We can understand security fix for open_basedir bypass, but not for safe_mode in 5.3.
Annoying is the fact, that exploit for bypass open_basedir or safe_mode in php 5.3.1 is avaliable in

http://securityreason.com/achievement_exploitalert/14

we can use symlink trick like in

http://securityreason.com/achievement_securityalert/70

The issue has been reported to PHP, but did not obtain a meaningful response.
Very similar issue has been reproted in October 2006 by Stefan Esser (SREASON:1692)

http://securityreason.com/securityalert/1692

This issue has been fixed.
Small difference, with this is that we need create fake directories structure.

best,
Maksymilian Arciemowicz
cxibTAsecurityreasonTODcom

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ