Common Vulnerabilities and Exposures assigned an identifier CVE-2008-5624 to the following vulnerability: PHP 5 before 5.2.7 does not properly initialize the page_uid and page_gid global variables for use by the SAPI php_getuid function, which allows context-dependent attackers to bypass safe_mode restrictions via variable settings that are intended to be restricted to root, as demonstrated by a setting of /etc for the error_log variable. References: http://securityreason.com/achievement_securityalert/59 http://www.securityfocus.com/archive/1/archive/1/498985/100/0/ http://www.php.net/ChangeLog-5.php#5.2.7 http://www.securityfocus.com/bid/32688 http://xforce.iss.net/xforce/xfdb/47318
Upstream patch: http://cvs.php.net/viewvc.cgi/php-src/ext/standard/basic_functions.c?r1=1.941&r2=1.942
*** This bug has been marked as a duplicate of bug 169857 ***