Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 577578 - (CVE-2010-1129, CVE-2010-1130) CVE-2010-1129 CVE-2010-1130 php: safe_mode / open_basedir security fixes in 5.2.13/5.3.2
CVE-2010-1129 CVE-2010-1130 php: safe_mode / open_basedir security fixes in 5...
Status: CLOSED DUPLICATE of bug 169857
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
unspecified Severity unspecified
: ---
: ---
Assigned To: Red Hat Product Security
impact=none,source=cve,reported=20100...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-03-27 23:30 EDT by Vincent Danen
Modified: 2015-08-19 04:45 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-03-27 23:31:30 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Vincent Danen 2010-03-27 23:30:15 EDT 
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-1129 to
the following vulnerability:

Name: CVE-2010-1129
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1129
Assigned: 20100326
Reference: CONFIRM: http://www.php.net/ChangeLog-5.php
Reference: CONFIRM: http://www.php.net/releases/5_2_13.php
Reference: BID:38431
Reference: URL: http://www.securityfocus.com/bid/38431
Reference: SECTRACK:1023661
Reference: URL: http://securitytracker.com/id?1023661
Reference: SECUNIA:38708
Reference: URL: http://secunia.com/advisories/38708
Reference: VUPEN:ADV-2010-0479
Reference: URL: http://www.vupen.com/english/advisories/2010/0479

The safe_mode implementation in PHP before 5.2.13 does not properly
handle directory pathnames that lack a trailing / (slash) character,
which allows context-dependent attackers to bypass intended access
restrictions via vectors related to use of the tempnam function.

Common Vulnerabilities and Exposures assigned an identifier CVE-2010-1130 to
the following vulnerability:

Name: CVE-2010-1130
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1130
Assigned: 20100326
Reference: SREASONRES:20100211 PHP 5.2.12/5.3.1 session.save_path safe_mode and open_basedir bypass
Reference: URL: http://securityreason.com/achievement_securityalert/82
Reference: CONFIRM: http://svn.php.net/viewvc/php/php-src/branches/PHP_5_2/ext/session/session.c?r1=293036&r2=294272
Reference: CONFIRM: http://svn.php.net/viewvc/php/php-src/branches/PHP_5_2/ext/session/session.c?view=log
Reference: CONFIRM: http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/session/session.c?r1=293036&r2=294272
Reference: CONFIRM: http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/session/session.c?view=log
Reference: CONFIRM: http://www.php.net/ChangeLog-5.php
Reference: CONFIRM: http://www.php.net/releases/5_2_13.php
Reference: SECTRACK:1023661
Reference: URL: http://securitytracker.com/id?1023661
Reference: SECUNIA:38708
Reference: URL: http://secunia.com/advisories/38708
Reference: SREASON:7008
Reference: URL: http://securityreason.com/securityalert/7008
Reference: VUPEN:ADV-2010-0479
Reference: URL: http://www.vupen.com/english/advisories/2010/0479

session.c in the session extension in PHP before 5.2.13, and 5.3.1,
does not properly interpret ; (semicolon) characters in the argument
to the session_save_path function, which allows context-dependent
attackers to bypass open_basedir and safe_mode restrictions via an
argument that contains multiple ; characters in conjunction with a ..
(dot dot).
Comment 1 Vincent Danen 2010-03-27 23:31:30 EDT 
Both of these flaws are safe_mode or open_basedir bypass flaws.

*** This bug has been marked as a duplicate of bug 169857 ***
Comment 2 Vincent Danen 2010-11-08 19:17:02 EST 
Statement:

We do not consider safe_mode / open_basedir restriction bypass issues to be security sensitive.  For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.