FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

CVE-2008-2666

This CVE name corresponds to:

Entered Topic
2008-06-22 php -- input validation error in safe_mode

The following information is adapted from the Common Vulnerabilities and Exposures (CVE) project. CVE and the CVE logo are trademarks of The MITRE Corporation. CVE content is Copyright 2005, The MITRE Corporation.

CVE-2008-2666 at cve.mitre.org

Details

Type Candidate
Name CVE-2008-2666
Phase Assigned(20080610)

Description

Multiple directory traversal vulnerabilities in PHP 5.2.6 and earlier allow context-dependent attackers to bypass safe_mode restrictions by creating a subdirectory named http: and then placing ../ (dot dot slash) sequences in an http URL argument to the (1) chdir or (2) ftok function.

References

Source Reference
SREASONRES 20080617 PHP 5.2.6 chdir(),ftok() (standard ext) safe_mode bypass
BUGTRAQ 20090302 rPSA-2009-0035-1 php php-cgi php-imap php-mcrypt php-mysql php-mysqli php-pgsql php-soap php-xsl php5 php5-cgi php5-imap php5-mcrypt php5-mysql php5-mysqli php5-pear php5-pgsql php5-soap php5-xsl
CONFIRM http://wiki.rpath.com/Advisories:rPSA-2009-0035
CONFIRM http://support.apple.com/kb/HT3549
APPLE APPLE-SA-2009-05-12
GENTOO GLSA-200811-05
HP HPSBUX02431
HP SSRT090085
HP HPSBUX02465
HP SSRT090192
CERT TA09-133A
BID 29796
SECTRACK 1020328
SECUNIA 35074
SECUNIA 35650
SECUNIA 32746
SREASON 3942
VUPEN ADV-2009-1297
XF php-chdir-ftoc-security-bypass(43198)

Copyright © 2005 The MITRE Corporation.

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.