发布时间 :2005-01-10 00:00:00
修订时间 :2016-10-17 22:51:04

[原文]PHP 4.x to 4.3.9, and PHP 5.x to 5.0.2, when running in safe mode on a multithreaded Unix webserver, allows local users to bypass safe_mode_exec_dir restrictions and execute commands outside of the intended safe_mode_exec_dir via shell metacharacters in the current directory name. NOTE: this issue was originally REJECTed by its CNA before publication, but that decision is in active dispute. This candidate may change significantly in the future as a result of further discussion.

[CNNVD]PHP 多个 绕过安全限制漏洞(CNNVD-200501-195)


- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  BUGTRAQ  20041215 Advisory 01/2004: Multiple vulnerabilities in PHP 4/5
(UNKNOWN)  BID  11964
(UNKNOWN)  XF  php-safemodeexecdir-restriction-bypass(18511)

- 漏洞信息

PHP 多个 绕过安全限制漏洞
危急 设计错误
2005-01-10 00:00:00 2005-10-20 00:00:00

- 公告与补丁


- 漏洞信息 (F35361)

012004.txt (PacketStormID:F35361)
2004-12-30 00:00:00
Stefan Esser

Hardened-PHP Project Security Advisory - Several vulnerabilities within PHP allow local and remote execution of arbitrary code. PHP4 versions 4.3.9 and below and PHP5 version 5.0.2 and below are affected.

Hash: SHA1

                        Hardened-PHP Project

                      -= Security  Advisory =-

     Advisory: Multiple vulnerabilities within PHP 4/5
 Release Date: 2004/12/15
Last Modified: 2004/12/15
       Author: Stefan Esser []

  Application: PHP4 <= 4.3.9
               PHP5 <= 5.0.2
     Severity: Several vulnerabilities within PHP allow 
               local and remote execution of arbitrary code
         Risk: Critical
Vendor Status: Vendor has released bugfixed versions.


   PHP is a widely-used general-purpose scripting language that is 
   especially suited for Web development and can be embedded into HTML.

   During the development of Hardened-PHP which adds security hardening
   features to the PHP codebase, several vulnerabilities within PHP 
   were discovered that reach from bufferoverflows, over information 
   leak vulnerabilities and path truncation vulnerabilities to
   safe_mode restriction bypass vulnerabilities.


   [01 - pack() - integer overflow leading to heap bufferoverflow ]
   Insufficient validation of the parameters passed to pack() can
   lead to a heap overflow which can be used to execute arbitrary
   code from within a PHP script. This enables an attacker to
   bypass safe_mode restrictions and execute arbitrary code with
   the permissions of the webserver. Due to the nature of this
   function it is unlikely that a script accidently exposes it to
   remote attackers.
   [02 - unpack() - integer overflow leading to heap info leak ]

   Insufficient validation of the parameters passed to unpack() can
   lead to a heap information leak which can be used to retrieve
   secret data from the apache process. Additionally a skilled
   local attacker could use this vulnerability in combination with
   01 to bypass heap canary protection systems. Similiar to 01 this
   function is usually not used on user supplied data within

   [03 - safe_mode_exec_dir bypass in multithreaded PHP ]
   When safe_mode is activated within PHP, it is only allowed to
   execute commands within the configured safe_mode_exec_dir. 
   Unfourtunately PHP does prepend a "cd [currentdir] ;" to any
   executed command when a PHP is running on a multithreaded unix
   webserver (f.e. some installations of Apache2). Because the name
   of the current directory is prepended directly a local attacker
   may bypass safe_mode_exec_dir restrictions by injecting shell-
   commands into the current directory name.
   [04 - safe_mode bypass through path truncation ]
   The safe_mode checks silently truncated the file path at MAXPATHLEN
   bytes before passing it to realpath(). In combination with certain
   malfunctional implementations of realpath() f.e. within glibc this
   allows crafting a filepath that pass the safe_mode check although
   it points to a file that should fail the safe_mode check.
   [05 - path truncation in realpath() ]
   PHP uses realpath() within several places to get the real path
   of files. Unfourtunately some implementations of realpath() silently
   truncate overlong filenames (f.e. OpenBSD, and older NetBSD/FreeBSD)
   This can lead to arbitrary file include vulnerabilities if something
   like "include "modules/$userinput/"; is used on such
   [06 - unserialize() - wrong handling of negative references ]
   The variable unserializer could be fooled with negative references
   to add false zvalues to hashtables. When those hashtables get
   destroyed this can lead to efree()s of arbitrary memory addresses
   which can result in arbitrary code execution. (Unless Hardened-PHP's
   memory manager canaries are activated)
   [07 - unserialize() - wrong handling of references to freed data ]
   Additionally to bug 07 the previous version of the variable 
   unserializer allowed setting references to already freed entries in
   the variable hash. A skilled attacker can exploit this to create 
   an universal string that will pass execution to an arbitrary 
   memory address when it is passed to unserialize(). For AMD64 systems
   a string was developed that directly passes execution to code 
   contained in the string itself.
   It is necessary to understand that these strings can exploit a 
   bunch of popular PHP applications remotely because they pass f.e.
   cookie content to unserialize().
   Examples of vulnerable scripts:
      - phpBB2
      - Invision Board
      - vBulletin
      - Woltlab Burning Board 2.x
      - Serendipity Weblog
      - phpAds(New)
      - ...

Proof of Concept:

   The Hardened-PHP project is not going to release exploits for any 
   of these vulnerabilities to the public.

CVE Information:

   The Common Vulnerabilities and Exposures project ( has
   assigned the name CAN-2004-1018 to issues 01, 02, the name 
   CAN-2004-1019 to issues 06, 07, the name CAN-2004-1063 to issue 03
   and the name CAN-2004-1064 to issues 04, 05.


   It is strongly recommended to upgrade to the new PHP-Releases as
   soon as possible, because a lot of PHP applications expose the
   easy to exploit unserialize() vulnerability to remote attackers.
   Additionally we always recommend to run PHP with the Hardened-PHP
   patch applied.


   pub  1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
   Key fingerprint = 066F A6D0 E57E 9936 9082  7E52 4439 14CC 0A86 4AA1

Copyright 2004 Stefan Esser. All rights reserved.

Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see



- 漏洞信息

PHP Multithreaded safe_mode_exec_dir Restriction Bypass
Local Access Required Input Manipulation
Loss of Integrity
Vendor Verified

- 漏洞描述

PHP contains a flaw related to the safe_mode functionality that may allow a local attacker to execute arbitrary commands. The issue is due to PHP prepending the current directory to the constructed path for any command executed on a multithreaded web server. With the additional path, an attacker can bypass the safe_mode_exec_dir restriction and inject shell commands into the current directory name.

- 时间线

2004-12-15 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 4.3.10 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete