CVE-2007-0448 – PHP 5.2 - FOpen 'Safe_mode' Restriction Bypass
https://notcve.org/view.php?id=CVE-2007-0448
The fopen function in PHP 5.2.0 does not properly handle invalid URI handlers, which allows context-dependent attackers to bypass safe_mode restrictions and read arbitrary files via a file path specified with an invalid URI, as demonstrated via the srpath URI. La función fopen del PHP 5.2.0 no maneja adecuadamente agentes URI inválidos, lo que permite a atacantes dependientes del contexto evitar las restricciones del modo seguro y leer ficheros de su elección a través de la especificación de una ruta de fichero con un URI no válido, como lo demostrado a través de la URI srpath. • https://www.exploit-db.com/exploits/29528 http://securityreason.com/achievement_securityalert/44 http://securityreason.com/securityalert/2175 http://www.securityfocus.com/bid/22261 •
CVE-2006-6383 – PHP 5.2 - Session.Save_Path() 'Safe_mode' / 'open_basedir' Restriction Bypass
https://notcve.org/view.php?id=CVE-2006-6383
PHP 5.2.0 and 4.4 allows local users to bypass safe_mode and open_basedir restrictions via a malicious path and a null byte before a ";" in a session_save_path argument, followed by an allowed path, which causes a parsing inconsistency in which PHP validates the allowed path but sets session.save_path to the malicious path. PHP 5.2.0 y 4.4 permite a usuarios locales evitar restricciones safe_mode y open_basedir a través de una ruta maliciosa y un byte nulo anterior a ";" en el argumento session_save_path, seguido por una ruta permitida, lo caul provoca una inconsistencia de validación en el cual PHP valida la ruta permitida pero asigna session.save_path a la ruta maliciosa. • https://www.exploit-db.com/exploits/29239 http://cvs.php.net/viewcvs.cgi/php-src/ext/session/session.c?r1=1.336.2.53.2.7&r2=1.336.2.53.2.8 http://lists.suse.com/archive/suse-security-announce/2007-Mar/0003.html http://secunia.com/advisories/24022 http://secunia.com/advisories/24514 http://securityreason.com/achievement_securityalert/43 http://securityreason.com/securityalert/2000 http://www.mandriva.com/security/advisories?name=MDKSA-2007:038 http://www.openpkg.com • CWE-20: Improper Input Validation •
CVE-2006-5706
https://notcve.org/view.php?id=CVE-2006-5706
Unspecified vulnerabilities in PHP, probably before 5.2.0, allow local users to bypass open_basedir restrictions and perform unspecified actions via unspecified vectors involving the (1) chdir and (2) tempnam functions. NOTE: the tempnam vector might overlap CVE-2006-1494. Vulnerabilidades no especificada en PHP, probablemente anterior a 5.2.0, permite a un usuario local evitar las restricciones open_basedir y llevar a cabo acciones no específicas a través de vectores no especificados que afectan a (1)chdir y (2)funciones tempnam. NOTA: el vector tempnam podría solaparse con CVE-2006-1494. • http://www.php.net/releases/5_2_0.php http://www.ubuntu.com/usn/usn-375-1 •
CVE-2006-5465 – PHP buffer overflow
https://notcve.org/view.php?id=CVE-2006-5465
Buffer overflow in PHP before 5.2.0 allows remote attackers to execute arbitrary code via crafted UTF-8 inputs to the (1) htmlentities or (2) htmlspecialchars functions. Desbordamiento de búfer en PHP anterior a 5.2.0 permite a un atacante remoto ejecutar código de su elección mediante entradas UTF-8 manipuladas a las funciones (1) htmlentities o (2) htmlspecialchars. • ftp://patches.sgi.com/support/free/security/advisories/20061101-01-P http://docs.info.apple.com/article.html?artnum=304829 http://issues.rpath.com/browse/RPL-761 http://lists.apple.com/archives/security-announce/2006/Nov/msg00001.html http://rhn.redhat.com/errata/RHSA-2006-0736.html http://secunia.com/advisories/22653 http://secunia.com/advisories/22685 http://secunia.com/advisories/22688 http://secunia.com/advisories/22693 http://secunia.com/advisories/22713 http://se •
CVE-2006-4812 – PHP 3 < 5 - ZendEngine ECalloc Integer Overflow
https://notcve.org/view.php?id=CVE-2006-4812
Integer overflow in PHP 5 up to 5.1.6 and 4 before 4.3.0 allows remote attackers to execute arbitrary code via an argument to the unserialize PHP function with a large value for the number of array elements, which triggers the overflow in the Zend Engine ecalloc function (Zend/zend_alloc.c). Desbordamiento de enteros en PHP 5 hasta la 5.1.6 y 4 anteriorer a 4.3.0 permite a un atacante remoto ejecutar código de su elección a través de un argumento a la funcion PHP unserializable con un valor grande para el número de elementos del array, lo cual dispara el desbordamiento en la función ecalloc en Zend Engine (Zend/zend_alloc.c). • https://www.exploit-db.com/exploits/28760 http://cvs.php.net/viewvc.cgi/ZendEngine2/zend_alloc.c?r1=1.161&r2=1.162 http://lists.suse.com/archive/suse-security-announce/2006-Oct/0002.html http://rhn.redhat.com/errata/RHSA-2006-0688.html http://rhn.redhat.com/errata/RHSA-2006-0708.html http://secunia.com/advisories/22280 http://secunia.com/advisories/22281 http://secunia.com/advisories/22300 http://secunia.com/advisories/22331 http://secunia.com/advisories/22338 • CWE-94: Improper Control of Generation of Code ('Code Injection') •