Bug 577578 (CVE-2010-1129, CVE-2010-1130) - CVE-2010-1129 CVE-2010-1130 php: safe_mode / open_basedir security fixes in 5.2.13/5.3.2
Summary: CVE-2010-1129 CVE-2010-1130 php: safe_mode / open_basedir security fixes in 5...
Keywords:
Status: CLOSED DUPLICATE of bug 169857
Alias: CVE-2010-1129, CVE-2010-1130
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-03-28 03:30 UTC by Vincent Danen
Modified: 2021-02-25 01:25 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-03-28 03:31:30 UTC
Embargoed:

Attachments (Terms of Use)

Description Vincent Danen 2010-03-28 03:30:15 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-1129 to
the following vulnerability:

Name: CVE-2010-1129
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1129
Assigned: 20100326
Reference: CONFIRM: http://www.php.net/ChangeLog-5.php
Reference: CONFIRM: http://www.php.net/releases/5_2_13.php
Reference: BID:38431
Reference: URL: http://www.securityfocus.com/bid/38431
Reference: SECTRACK:1023661
Reference: URL: http://securitytracker.com/id?1023661
Reference: SECUNIA:38708
Reference: URL: http://secunia.com/advisories/38708
Reference: VUPEN:ADV-2010-0479
Reference: URL: http://www.vupen.com/english/advisories/2010/0479

The safe_mode implementation in PHP before 5.2.13 does not properly
handle directory pathnames that lack a trailing / (slash) character,
which allows context-dependent attackers to bypass intended access
restrictions via vectors related to use of the tempnam function.

Common Vulnerabilities and Exposures assigned an identifier CVE-2010-1130 to
the following vulnerability:

Name: CVE-2010-1130
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1130
Assigned: 20100326
Reference: SREASONRES:20100211 PHP 5.2.12/5.3.1 session.save_path safe_mode and open_basedir bypass
Reference: URL: http://securityreason.com/achievement_securityalert/82
Reference: CONFIRM: http://svn.php.net/viewvc/php/php-src/branches/PHP_5_2/ext/session/session.c?r1=293036&r2=294272
Reference: CONFIRM: http://svn.php.net/viewvc/php/php-src/branches/PHP_5_2/ext/session/session.c?view=log
Reference: CONFIRM: http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/session/session.c?r1=293036&r2=294272
Reference: CONFIRM: http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/session/session.c?view=log
Reference: CONFIRM: http://www.php.net/ChangeLog-5.php
Reference: CONFIRM: http://www.php.net/releases/5_2_13.php
Reference: SECTRACK:1023661
Reference: URL: http://securitytracker.com/id?1023661
Reference: SECUNIA:38708
Reference: URL: http://secunia.com/advisories/38708
Reference: SREASON:7008
Reference: URL: http://securityreason.com/securityalert/7008
Reference: VUPEN:ADV-2010-0479
Reference: URL: http://www.vupen.com/english/advisories/2010/0479

session.c in the session extension in PHP before 5.2.13, and 5.3.1,
does not properly interpret ; (semicolon) characters in the argument
to the session_save_path function, which allows context-dependent
attackers to bypass open_basedir and safe_mode restrictions via an
argument that contains multiple ; characters in conjunction with a ..
(dot dot).
Comment 1 Vincent Danen 2010-03-28 03:31:30 UTC 
Both of these flaws are safe_mode or open_basedir bypass flaws.

*** This bug has been marked as a duplicate of bug 169857 ***
Comment 2 Vincent Danen 2010-11-09 00:17:02 UTC 
Statement:

We do not consider safe_mode / open_basedir restriction bypass issues to be security sensitive.  For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php
Note You need to log in before you can comment on or make changes to this bug.