Bug 332451 (CVE-2007-5424)

Summary: CVE-2007-5424 PHP disable_functions does not disable aliases
Product: [Other] Security Response Reporter: Lubomir Kundrak <lkundrak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: jorton
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5424
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-10-15 14:03:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Lubomir Kundrak 2007-10-15 13:58:52 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2007-5424 to the following vulnerability:

The disable_functions feature in PHP 4 and 5 allows attackers to bypass intended restrictions by using an alias, as demonstrated by using ini_alter when ini_set is disabled.

References:

http://www.securityfocus.com/archive/1/archive/1/482006/100/0/threaded
http://securityvulns.com/news/PHP/alias-pb.html
http://securityvulns.ru/Sdocument67.html
Comment 2 Lubomir Kundrak 2007-10-15 14:03:20 UTC 
Apart from that documentation doesn't say the function should disable the
function aliases, so the behavior of disable_functions is correct and this is
not even a functional bug.
Comment 3 Lubomir Kundrak 2007-10-15 14:06:06 UTC 
The PHP "disable_functions" configuration option is intended to prevent an
interpreted script from calling specific functions.

But the PHP interpreter does not offer a "sandboxed" security layer (as found
in, say, a JVM) with which to reliably implement these features, so they cannot
be relied upon as a security feature.

Any bug in PHP (or any extension) which allows a script to corrupt memory or
cause the interpreter to crash may allow the script to bypass disable_functions.
 Similarly, any feature of a bundled (or third-party) extension
which allows the script to open arbitrary files, or execute arbitrary commands,
may allow the script to bypass disable_functions restrictions.

For these reasons, bugs in the PHP interpreter or extensions which allow scripts
to bypass these options, will not be treated as security-sensitive.

See also http://www.php.net/security-note.php for the similar position taken by
the PHP project.