Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
6.2
CVSSv2

CVE-2006-5178

Published: 10/10/2006 Updated: 30/10/2018
CVSS v2 Base Score: 6.2 | Impact Score: 10 | Exploitability Score: 1.9
VMScore: 625
Vector: AV:L/AC:H/Au:N/C:C/I:C/A:C
Subscribe to Php

Vulnerability Summary

Race condition in the symlink function in PHP 5.1.6 and previous versions allows local users to bypass the open_basedir restriction by using a combination of symlink, mkdir, and unlink functions to change the file path after the open_basedir check and before the file is opened by the underlying system, as demonstrated by symlinking a symlink into a subdirectory, to point to a parent directory via .. (dot dot) sequences, and then unlinking the resulting symlink.

Vulnerable Product Search on Vulmon Subscribe to Product

php php 4.0.1

php php 4.0.7

php php 4.2.1

php php 4.2.2

php php 4.3.3

php php 4.3.4

php php 4.4.1

php php 4.4.2

php php 5.0.4

php php 5.0.5

php php 5.1.4

php php 5.1.5

php php 4.0

php php 4.0.5

php php 4.0.6

php php 4.1.2

php php 4.2.0

php php 4.3.11

php php 4.3.2

php php 4.3.9

php php 4.4.0

php php 5.0.2

php php 5.0.3

php php 5.1.2

php php 5.1.3

php php 4.0.3

php php 4.0.4

php php 4.1.0

php php 4.1.1

php php 4.3.1

php php 4.3.10

php php 4.3.7

php php 4.3.8

php php 5.0.0

php php 5.0.1

php php 5.1.0

php php 5.1.1

php php 4.0.2

php php 4.2.3

php php 4.2

php php 4.3.0

php php 4.3.5

php php 4.3.6

php php 4.4.3

php php 4.4.4

php php 5.0

php php

Vendor Advisories

Debian CVElist Bug Report Logs: CVE-2006-4625: PHP Ini_Restore() Safe_Mode and Open_Basedir Restriction Bypass Vulnerability
Debian Bug report logs - #391281 CVE-2006-4625: PHP Ini_Restore() Safe_Mode and Open_Basedir Restriction Bypass Vulnerability Package: libapache2-mod-php5; Maintainer for libapache2-mod-php5 is Debian PHP Maintainers <pkg-php-maint@listsaliothdebianorg>; Source for libapache2-mod-php5 is src:php5 (PTS, buildd, popcon) Rep ...

Exploits

Exploit DB: PHP 5.2.12/5.3.1 - 'symlink()' open_basedir Bypass
<?php /* PHP 5212/531 symlink() open_basedir bypass by Maksymilian Arciemowicz securityreasoncom/ cxib [ aT] securityreason [ d0t] com CHUJWAMWMUZG */ $fakedir="cx"; $fakedep=16; $num=0; // offset of symlink$num if(!empty($_GET['file'])) $file=$_GET['file']; else if(!empty($_POST['file'])) $file=$_POST['file']; else $file=""; ...

Github Repositories

https://github.com/Whissi/realpath_turbo

When PHP's open_basedir restriction is set, PHP disables the realpath cache for security reasons. This may hurt your application performance. The realpath_turbo PHP extension re-enables the realpath cache. Warning: This could be a security problem in your environment! Please read the README for further information.

realpath_turbo – Use realpath cache despite open_basedir restriction When you set PHP's open_basedir restriction, PHP will deactivate the realpath cache This will decrease the performance of any PHP application which uses multiple files (include_once, require_once) like WordPress, Drupal and Magento -- just to mention a few The decision to deactivate the realpath

References

CWE-362http://lists.grok.org.uk/pipermail/full-disclosure/2006-October/049850.htmlhttp://www.hardened-php.net/advisory_082006.132.htmlhttp://www.securityfocus.com/bid/20326http://securitytracker.com/id?1016977http://secunia.com/advisories/22235http://www.neosecurityteam.net/index.php?action=advisories&id=26http://www.mandriva.com/security/advisories?name=MDKSA-2006:185http://secunia.com/advisories/22424http://www.turbolinux.com/security/2006/TLSA-2006-38.txthttp://securityreason.com/securityalert/1692http://www.vupen.com/english/advisories/2006/3901https://exchange.xforce.ibmcloud.com/vulnerabilities/29340http://www.securityfocus.com/archive/1/448953/100/0/threadedhttp://www.securityfocus.com/archive/1/448020/100/0/threadedhttp://www.securityfocus.com/archive/1/447649/100/0/threadedhttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=391281https://nvd.nist.govhttps://github.com/Whissi/realpath_turbohttps://www.exploit-db.com/exploits/10557/
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-3400CVE-2023-7252CVE-2024-21111denial of serviceCVE-2024-29661CVE-2024-22856remote attackersencryptionCVE-2023-38299
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook