| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4B185786.2050007@securityreason.com>
Date: Fri, 04 Dec 2009 01:27:50 +0100
From: Maksymilian Arciemowicz <cxib@...urityreason.com>
To: full-disclosure@...ts.grok.org.uk
Subject: PHP 5.3.1 open_basedir bypass
hi,
in php 5.3.1 security changelog, we can read, that safe_mode bypass in
tempnam() has been already fixed. But safe_mode in 5.3 line is
deprecated. We can understand security fix for open_basedir bypass, but
not for safe_mode in 5.3.
Annoying is the fact, that exploit for bypass open_basedir or safe_mode
in php 5.3.1 is avaliable in
http://securityreason.com/achievement_exploitalert/14
we can use symlink trick like in
http://securityreason.com/achievement_securityalert/70
The issue has been reported to PHP, but did not obtain a meaningful
response.
Very similar issue has been reproted in October 2006 by Stefan Esser
(SREASON:1692)
http://securityreason.com/securityalert/1692
This issue has been fixed.
Small difference, with this is that we need create fake directories
structure.
--
Best Regards,
------------------------
pub 1024D/A6986BD6 2008-08-22
uid Maksymilian Arciemowicz (cxib)
<cxib@...urityreason.com>
sub 4096g/0889FA9A 2008-08-22
http://securityreason.com
http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
Download attachment "signature.asc" of type "application/pgp-signature" (164 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists