Bug 332451 - (CVE-2007-5424) CVE-2007-5424 PHP disable_functions does not disable aliases
CVE-2007-5424 PHP disable_functions does not disable aliases
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
http://nvd.nist.gov/nvd.cfm?cvename=C...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-10-15 09:58 EDT by Lubomir Kundrak
Modified: 2007-10-15 10:06 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-10-15 10:03:20 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Lubomir Kundrak 2007-10-15 09:58:52 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2007-5424 to the following vulnerability:

The disable_functions feature in PHP 4 and 5 allows attackers to bypass intended restrictions by using an alias, as demonstrated by using ini_alter when ini_set is disabled.

References:

http://www.securityfocus.com/archive/1/archive/1/482006/100/0/threaded
http://securityvulns.com/news/PHP/alias-pb.html
http://securityvulns.ru/Sdocument67.html
Comment 2 Lubomir Kundrak 2007-10-15 10:03:20 EDT
Apart from that documentation doesn't say the function should disable the
function aliases, so the behavior of disable_functions is correct and this is
not even a functional bug.
Comment 3 Lubomir Kundrak 2007-10-15 10:06:06 EDT
The PHP "disable_functions" configuration option is intended to prevent an
interpreted script from calling specific functions.

But the PHP interpreter does not offer a "sandboxed" security layer (as found
in, say, a JVM) with which to reliably implement these features, so they cannot
be relied upon as a security feature.

Any bug in PHP (or any extension) which allows a script to corrupt memory or
cause the interpreter to crash may allow the script to bypass disable_functions.
 Similarly, any feature of a bundled (or third-party) extension
which allows the script to open arbitrary files, or execute arbitrary commands,
may allow the script to bypass disable_functions restrictions.

For these reasons, bugs in the PHP interpreter or extensions which allow scripts
to bypass these options, will not be treated as security-sensitive.

See also http://www.php.net/security-note.php for the similar position taken by
the PHP project.

Note You need to log in before you can comment on or make changes to this bug.