Computer Security
[EN] no-pyccku

PHP safe mode protection bypass with htaccess
updated since 27.06.2007
SecurityVulns ID:7859
Threat Level:
Description:It's possible to manipulate function ini_set() and session_save_path() with htaccess settings.
Affected:PHP : PHP 4.4
 PHP : PHP 5.2
CVE:CVE-2007-3378 (The (1) session_save_path, (2) ini_set, and (3) error_log functions in PHP 4.4.7 and earlier, and PHP 5 5.2.3 and earlier, when invoked from a .htaccess file, allow remote attackers to bypass safe_mode and open_basedir restrictions and possibly execute arbitrary commands via php_value directives in .htaccess.)
Original documentdocumentMaksymilian Arciemowicz, PHP 5.2.4 mail.force_extra_parameters unsecure (26.11.2007)
 documentMaksymilian Arciemowicz, [Full-disclosure] PHP 5.2.3 PHP 4.4.7, htaccess safemode and open_basedir Bypass Vulnerability (27.06.2007)

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod