[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] CVE request: php 5.3.1 - proc_open() bypass PHP
From: Josh Bressers <bressers () redhat ! com>
Date: 2009-11-23 20:49:28
Message-ID: 499213538.605701259009368603.JavaMail.root () zmail01 ! collab ! prod ! int ! phx2 ! redhat ! com
[Download RAW message or body]
CVE-2009-4018
PHP before 5.3.1 proc_open() can be used to bypass the
safe_mode_protected_env_vars INI setting. This could be used to alter the
process environment possibly executing arbitrary code.
http://www.php.net/ChangeLog-5.php#5.3.1
http://bugs.php.net/bug.php?id=49026
http://marc.info/?l=oss-security&m=125897935330618&w=2
Thanks.
--
JB
----- "Jan Lieskovsky" <jlieskov@redhat.com> wrote:
> Hi Brian,
>
> security curmudgeon wrote:
> > On Fri, 20 Nov 2009, Thomas Biege wrote:
> >
> > : PHP was updated to version 5.3.1 and did also address security
> > : issues: http://www.php.net/releases/5_3_1.php
> > :
> > : Security Enhancements and Fixes in PHP 5.3.1:
> > :
> > : * Added "max_file_uploads" INI directive, which can be set to
> limit the number of file uploads per-request to 20 by default, to
> prevent possible DOS via temporary file exhaustion.
> > : * Added missing sanity checks around exif processing.
> >
> > This was previously disclosed and fixed in the 5.2.x tree. I believe
> this
> > is the same as CVE-2009-3292.
> >
> > : * Fixed a safe_mode bypass in tempnam().
> > : * Fixed a open_basedir bypass in posix_mkfifo().
> > : * Fixed bug #50063 (safe_mode_include_dir fails).
> > : * Fixed bug #44683 (popen crashes when an invalid mode is
> passed).
> >
> > Also not flagged as 'security' up top, but from the changelog:
> >
> > Fixed bug #49026 (proc_open() can bypass
> safe_mode_protected_env_vars
> > restrictions). (Ilia)
>
> Thank you for pointing this out.
>
> Yes, further look into particular php bugzilla returns:
>
> "Environment variables specified for proc_open passed without
> check so
> safe_mode_allowed_env_vars and safe_mode_protected_env_vars
> settings are
> ignored. So it become possible to use buffer overflow exploit
> with
> "LD_PRELOAD=evil_library.so" to bypass safe_mode restrictions
> and get
> access to any files acessible for apache uid."
>
> So looks another CVE id is needed here. Changed subject to:
> "CVE request: php 5.3.1 - proc_open() bypass PHP Bug #49026"
>
> Could we get another CVE id for this case?
>
> Thanks && Regards, Jan.
> --
> Jan iankko Lieskovsky / Red Hat Security Response Team
>
> >
> > Brian
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic