PHP safe_mode and open_basedir Restriction Bypass Vulnerability

Overview

» IDS/IPS Signatures

Security Sites

iPolicy Networks Security Advisory


Date Discovered:	03/26/2010
Severity:	High
Application Affected:	PHP 5.3.0 and earlier PHP 5.2.12 and earlier
Identifiers:	CVE-2010-1130

Synopsis

PHP version 5.2.12, 5.3.0 & earlier are prone to restrictions bypass vulnerability. Weakness is due to improper sanitazation of argument to the session_save_path function. This could be exploited by attacker to bypass open_basedir and safe_mode restrictions.

Recommended Actions

Update the patches as guided by vendor at :
http://www.php.net/releases/5_2_13.php

Threat Analysis

PHP is an HTML-embedded scripting language. PHP version 5.2.13, 5.3.1 & earlier are vulnerable to security bypass vulnerability. Vulnerability is caused due to improper handling of argument to the session_save_path function. session_save_path function does not properly interpret ; (semicolon) characters in the argument.

An attacker can exploit this vulnerability via an argument that contains multiple ; characters in conjunction with a .. (dot dot). This will allow attacker to bypass open_basedir and safe_mode restrictions and gain sensitive information.

References

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1130

Write-up by: Anupam Kumar