Red Hat Bugzilla – Bug 332451
CVE-2007-5424 PHP disable_functions does not disable aliases
Last modified: 2007-10-15 10:06:06 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2007-5424 to the following vulnerability:
The disable_functions feature in PHP 4 and 5 allows attackers to bypass intended restrictions by using an alias, as demonstrated by using ini_alter when ini_set is disabled.
Apart from that documentation doesn't say the function should disable the
function aliases, so the behavior of disable_functions is correct and this is
not even a functional bug.
The PHP "disable_functions" configuration option is intended to prevent an
interpreted script from calling specific functions.
But the PHP interpreter does not offer a "sandboxed" security layer (as found
in, say, a JVM) with which to reliably implement these features, so they cannot
be relied upon as a security feature.
Any bug in PHP (or any extension) which allows a script to corrupt memory or
cause the interpreter to crash may allow the script to bypass disable_functions.
Similarly, any feature of a bundled (or third-party) extension
which allows the script to open arbitrary files, or execute arbitrary commands,
may allow the script to bypass disable_functions restrictions.
For these reasons, bugs in the PHP interpreter or extensions which allow scripts
to bypass these options, will not be treated as security-sensitive.
See also http://www.php.net/security-note.php for the similar position taken by
the PHP project.