PHP file.c 安全绕过和信息泄露漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1110028 漏洞类型 输入验证
发布时间 2006-04-10 更新时间 2006-04-10
CVE编号 CVE-2006-1608 CNNVD-ID CNNVD-200604-121
漏洞平台 PHP CVSS评分 2.1
|漏洞来源
https://www.exploit-db.com/exploits/27596
https://cxsecurity.com/issue/WLB-2006040014
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200604-121
|漏洞详情
PHP4.4.2和5.1.2中file.c中的copy函数允许本地用户借助于包含compress.zlib://URI的源参数绕过安全模式并读取任意文件。
|漏洞EXP
source: http://www.securityfocus.com/bid/17439/info
 
PHP is prone to multiple 'safe_mode' and 'open_basedir' restriction-bypass vulnerabilities. Successful exploits could allow an attacker to access sensitive information or to write files in unauthorized locations.
 
These vulnerabilities would be an issue in shared-hosting configurations where multiple users can create and execute arbitrary PHP script code, when the 'safe_mode' and 'open_basedir' restrictions are expected to isolate the users from each other.
 
These issues are reported to affect PHP versions 4.4.2 and 5.1.2; other versions may also be vulnerable.

copy("compress.zlib:///etc/passwd", "/home/<username>/passwd.txt");
|参考资料

来源:SREASONRES
名称:20060408copy()SafeModeBypassPHP4.4.2and5.1.2
链接:http://securityreason.com/achievement_securityalert/37
来源:SECUNIA
名称:19599
链接:http://secunia.com/advisories/19599
来源:XF
名称:php-copy-safemode-bypass(25706)
链接:http://xforce.iss.net/xforce/xfdb/25706
来源:UBUNTU
名称:USN-320-1
链接:http://www.ubuntu.com/usn/usn-320-1
来源:BID
名称:17439
链接:http://www.securityfocus.com/bid/17439
来源:BUGTRAQ
名称:20060723Re:newshellbypasssafemode
链接:http://www.securityfocus.com/archive/1/archive/1/441210/100/0/threaded
来源:BUGTRAQ
名称:20060718newshellbypasssafemode
链接:http://www.securityfocus.com/archive/1/archive/1/440869/100/0/threaded
来源:BUGTRAQ
名称:20060409copy()SafeModeBypassPHP4.4.2and5.1.2
链接:http://www.securityfocus.com/archive/1/archive/1/430461/100/0/threaded
来源:OSVDB
名称:24487
链接:http://www.osvdb.org/24487
来源:MANDRIVA
名称:MDKSA-2006:074
链接:http://www.mandriva.com/security/advisories?name=MDKSA-2006:074
来源:VUPEN
名称:ADV-2006-1290
链接:http://www.frsirt.com/english/advisories/2006/1290
来源:us.php.net
链接: