Friday, November 13, 2009

PHP 5.2.11/5.3.0 Multiple Vulnerabilities

The first main problem exist in security model based on symlinks
open_basedir. Paths like $target and $link are checked by open_basedir. We
can bypass open_basedir, but function symlink() is not affected. Issue has
been generated by false security model designed by PHP.

Under PHP 5.2.11 we can also bypass safe_mode. However, the security, such
as whether to run suphp php with the privileges of users also have their

We can use our exploit to show this vulnerability. If httpd allow read link
(default), we can create symlink to / (ofcourse if we have access). If we
can not read symlink, we can use next PHP flaw "hazard syphon" to read
other files.


No comments: