Vulnerabilities > CVE-2006-1494 - Safe_Mode and Open_Basedir Restriction Bypass vulnerability in PHP
Attack vector
NETWORK Attack complexity
HIGH Privileges required
NONE Confidentiality impact
NONE Integrity impact
PARTIAL Availability impact
NONE Summary
Directory traversal vulnerability in file.c in PHP 4.4.2 and 5.1.2 allows local users to bypass open_basedir restrictions allows remote attackers to create files in arbitrary directories via the tempnam function.
Vulnerable Configurations
Exploit-Db
| description | PHP 4.x tempnam() Function open_basedir Restriction Bypass. CVE-2006-1494. Remote exploit for php platform |
| id | EDB-ID:27595 |
| last seen | 2016-02-03 |
| modified | 2006-04-10 |
| published | 2006-04-10 |
| reporter | Maksymilian Arciemowicz |
| source | https://www.exploit-db.com/download/27595/ |
| title | PHP 4.x tempnam Function open_basedir Restriction Bypass |
Nessus
NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2006-0568.NASL description Updated PHP packages that fix multiple security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A directory traversal vulnerability was found in PHP. Local users could bypass open_basedir restrictions allowing remote attackers to create files in arbitrary directories via the tempnam() function. (CVE-2006-1494) The wordwrap() PHP function did not properly check for integer overflow in the handling of the last seen 2020-06-01 modified 2020-06-02 plugin id 22037 published 2006-07-13 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/22037 title CentOS 3 / 4 : php (CESA-2006:0568) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2006-0567.NASL description Updated PHP packages that fix multiple security issues are now available for Red Hat Enterprise Linux 2.1 This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A flaw was found in the zend_hash_del() PHP function. For PHP scripts that rely on the use of the unset() function, a remote attacker could force variable initialization to be bypassed. This would be a security issue particularly for installations that enable the last seen 2020-06-01 modified 2020-06-02 plugin id 22110 published 2006-07-28 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/22110 title RHEL 2.1 : php (RHSA-2006:0567) NASL family CGI abuses NASL id PHP_4_4_3.NASL description According to its banner, the version of PHP installed on the remote host is older than 4.4.3 / 5.1.4. Such versions may be affected by several issues, including a buffer overflow, heap corruption, and a flaw by which a variable may survive a call to last seen 2020-06-01 modified 2020-06-02 plugin id 22268 published 2006-08-25 reporter This script is Copyright (C) 2006-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/22268 title PHP < 4.4.3 / 5.1.4 Multiple Vulnerabilities NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2006-0568.NASL description Updated PHP packages that fix multiple security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A directory traversal vulnerability was found in PHP. Local users could bypass open_basedir restrictions allowing remote attackers to create files in arbitrary directories via the tempnam() function. (CVE-2006-1494) The wordwrap() PHP function did not properly check for integer overflow in the handling of the last seen 2020-06-01 modified 2020-06-02 plugin id 22044 published 2006-07-13 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/22044 title RHEL 3 / 4 : php (RHSA-2006:0568) NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2006-196.NASL description The Hardened-PHP Project discovered buffer overflows in htmlentities/htmlspecialchars internal routines to the PHP Project. The purpose of these functions is to be filled with user input. (The overflow can only be when UTF-8 is used) (CVE-2006-5465) Unspecified vulnerabilities in PHP, probably before 5.2.0, allow local users to bypass open_basedir restrictions and perform unspecified actions via unspecified vectors involving the (1) chdir and (2) tempnam functions. NOTE: the tempnam vector might overlap CVE-2006-1494. (CVE-2006-5706) Updated packages have been patched to correct these issues. Users must restart Apache for the changes to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 24581 published 2007-02-18 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24581 title Mandrake Linux Security Advisory : php (MDKSA-2006:196) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-320-1.NASL description The phpinfo() PHP function did not properly sanitize long strings. A remote attacker could use this to perform cross-site scripting attacks against sites that have publicly-available PHP scripts that call phpinfo(). Please note that it is not recommended to publicly expose phpinfo(). (CVE-2006-0996) An information disclosure has been reported in the html_entity_decode() function. A script which uses this function to process arbitrary user-supplied input could be exploited to expose a random part of memory, which could potentially reveal sensitive data. (CVE-2006-1490) The wordwrap() function did not sufficiently check the validity of the last seen 2020-06-01 modified 2020-06-02 plugin id 27897 published 2007-11-10 reporter Ubuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/27897 title Ubuntu 5.04 / 5.10 / 6.06 LTS : php4, php5 vulnerabilities (USN-320-1) NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2006-074.NASL description A cross-site scripting (XSS) vulnerability in phpinfo (info.c) in PHP <= 5.1.2 allows remote attackers to inject arbitrary web script or HTML via long array variables, including (1) a large number of dimensions or (2) long values, which prevents HTML tags from being removed. (CVE-2006-0996) Directory traversal vulnerability in file.c in PHP <= 5.1.2 allows local users to bypass open_basedir restrictions and allows remote attackers to create files in arbitrary directories via the tempnam function. (CVE-2006-1494) The copy function in file.c in PHP <= 5.1.2 allows local users to bypass safe mode and read arbitrary files via a source argument containing a compress.zlib:// URI. (CVE-2006-1608) Updated packages have been patched to address these issues. After upgrading these packages, please run last seen 2020-06-01 modified 2020-06-02 plugin id 21281 published 2006-04-26 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/21281 title Mandrake Linux Security Advisory : php (MDKSA-2006:074) NASL family SuSE Local Security Checks NASL id SUSE_SA_2006_024.NASL description The remote host is missing the patch for the advisory SUSE-SA:2006:024 (php4,php5). This update fixes the following security issues in the scripting languages PHP4 and PHP5: - copy() and tempnam() functions could bypass open_basedir restrictions (CVE-2006-1494) - Cross-Site-Scripting (XSS) bug in phpinfo() (CVE-2006-0996) - mb_send_mail() lacked safe_mode checks (CVE-2006-1014, CVE-2006-1015) - html_entity_decode() could expose memory content (CVE-2006-1490) last seen 2019-10-28 modified 2006-05-13 plugin id 21369 published 2006-05-13 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/21369 title SUSE-SA:2006:024: php4,php5
Oval
| accepted | 2013-04-29T04:03:18.320-04:00 | ||||||||||||||||||||
| class | vulnerability | ||||||||||||||||||||
| contributors |
| ||||||||||||||||||||
| definition_extensions |
| ||||||||||||||||||||
| description | Directory traversal vulnerability in file.c in PHP 4.4.2 and 5.1.2 allows local users to bypass open_basedir restrictions allows remote attackers to create files in arbitrary directories via the tempnam function. | ||||||||||||||||||||
| family | unix | ||||||||||||||||||||
| id | oval:org.mitre.oval:def:10196 | ||||||||||||||||||||
| status | accepted | ||||||||||||||||||||
| submitted | 2010-07-09T03:56:16-04:00 | ||||||||||||||||||||
| title | Directory traversal vulnerability in file.c in PHP 4.4.2 and 5.1.2 allows local users to bypass open_basedir restrictions allows remote attackers to create files in arbitrary directories via the tempnam function. | ||||||||||||||||||||
| version | 26 |
Redhat
| advisories |
| ||||||||||||
| rpms |
|
Statements
| contributor | Mark J Cox |
| lastmodified | 2006-08-30 |
| organization | Red Hat |
| statement | This issue did not affect the versions of OpenSSH as distributed with Red Hat Enterprise Linux 2.1, 3, or 4. |
References
- ftp://patches.sgi.com/support/free/security/advisories/20060701-01-U
- http://rhn.redhat.com/errata/RHSA-2006-0549.html
- http://secunia.com/advisories/19599
- http://secunia.com/advisories/19775
- http://secunia.com/advisories/19979
- http://secunia.com/advisories/21031
- http://secunia.com/advisories/21125
- http://secunia.com/advisories/21135
- http://secunia.com/advisories/21202
- http://secunia.com/advisories/21252
- http://secunia.com/advisories/21723
- http://secunia.com/advisories/22225
- http://securityreason.com/achievement_securityalert/36
- http://securityreason.com/securityalert/677
- http://securitytracker.com/id?1015881
- http://support.avaya.com/elmodocs2/security/ASA-2006-175.htm
- http://www.mandriva.com/security/advisories?name=MDKSA-2006:074
- http://www.novell.com/linux/security/advisories/05-05-2006.html
- http://www.redhat.com/support/errata/RHSA-2006-0567.html
- http://www.redhat.com/support/errata/RHSA-2006-0568.html
- http://www.securityfocus.com/archive/1/447866/100/0/threaded
- http://www.securityfocus.com/bid/17439
- http://www.ubuntu.com/usn/usn-320-1
- http://www.vupen.com/english/advisories/2006/1290
- https://exchange.xforce.ibmcloud.com/vulnerabilities/25705
- https://issues.rpath.com/browse/RPL-683
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10196