ID CVE-2006-4625
Summary PHP 4.x up to 4.4.4 and PHP 5 up to 5.1.6 allows local users to bypass certain Apache HTTP Server httpd.conf options, such as safe_mode and open_basedir, via the ini_restore function, which resets the values to their php.ini (Master Value) defaults.
References
Vulnerable Configurations
  • PHP 4.0.0
    cpe:2.3:a:php:php:4.0
  • PHP PHP 4.0.1
    cpe:2.3:a:php:php:4.0.1
  • cpe:2.3:a:php:php:4.0.1:patch1
    cpe:2.3:a:php:php:4.0.1:patch1
  • cpe:2.3:a:php:php:4.0.1:patch2
    cpe:2.3:a:php:php:4.0.1:patch2
  • PHP PHP 4.0.2
    cpe:2.3:a:php:php:4.0.2
  • PHP PHP 4.0.3
    cpe:2.3:a:php:php:4.0.3
  • cpe:2.3:a:php:php:4.0.3:patch1
    cpe:2.3:a:php:php:4.0.3:patch1
  • PHP PHP 4.0.4
    cpe:2.3:a:php:php:4.0.4
  • PHP PHP 4.0.5
    cpe:2.3:a:php:php:4.0.5
  • PHP PHP 4.0.6
    cpe:2.3:a:php:php:4.0.6
  • PHP PHP 4.0.7
    cpe:2.3:a:php:php:4.0.7
  • cpe:2.3:a:php:php:4.0.7:rc1
    cpe:2.3:a:php:php:4.0.7:rc1
  • cpe:2.3:a:php:php:4.0.7:rc2
    cpe:2.3:a:php:php:4.0.7:rc2
  • cpe:2.3:a:php:php:4.0.7:rc3
    cpe:2.3:a:php:php:4.0.7:rc3
  • PHP PHP 4.1.0
    cpe:2.3:a:php:php:4.1.0
  • PHP PHP 4.1.1
    cpe:2.3:a:php:php:4.1.1
  • PHP PHP 4.1.2
    cpe:2.3:a:php:php:4.1.2
  • cpe:2.3:a:php:php:4.2:-:dev
    cpe:2.3:a:php:php:4.2:-:dev
  • PHP PHP 4.2.0
    cpe:2.3:a:php:php:4.2.0
  • PHP PHP 4.2.1
    cpe:2.3:a:php:php:4.2.1
  • PHP PHP 4.2.2
    cpe:2.3:a:php:php:4.2.2
  • PHP PHP 4.2.3
    cpe:2.3:a:php:php:4.2.3
  • PHP PHP 4.3.0
    cpe:2.3:a:php:php:4.3.0
  • PHP PHP 4.3.1
    cpe:2.3:a:php:php:4.3.1
  • PHP PHP 4.3.2
    cpe:2.3:a:php:php:4.3.2
  • PHP PHP 4.3.3
    cpe:2.3:a:php:php:4.3.3
  • PHP PHP 4.3.4
    cpe:2.3:a:php:php:4.3.4
  • PHP PHP 4.3.5
    cpe:2.3:a:php:php:4.3.5
  • PHP PHP 4.3.6
    cpe:2.3:a:php:php:4.3.6
  • PHP PHP 4.3.8
    cpe:2.3:a:php:php:4.3.8
  • PHP PHP 4.3.9
    cpe:2.3:a:php:php:4.3.9
  • PHP PHP 4.3.10
    cpe:2.3:a:php:php:4.3.10
  • PHP PHP 4.3.11
    cpe:2.3:a:php:php:4.3.11
  • PHP PHP 4.4.0
    cpe:2.3:a:php:php:4.4.0
  • PHP PHP 4.4.1
    cpe:2.3:a:php:php:4.4.1
  • PHP PHP 4.4.2
    cpe:2.3:a:php:php:4.4.2
  • PHP PHP 4.4.3
    cpe:2.3:a:php:php:4.4.3
  • PHP PHP 4.4.4
    cpe:2.3:a:php:php:4.4.4
  • cpe:2.3:a:php:php:5.0:rc1
    cpe:2.3:a:php:php:5.0:rc1
  • cpe:2.3:a:php:php:5.0:rc2
    cpe:2.3:a:php:php:5.0:rc2
  • cpe:2.3:a:php:php:5.0:rc3
    cpe:2.3:a:php:php:5.0:rc3
  • PHP PHP 5.0.0
    cpe:2.3:a:php:php:5.0.0
  • PHP PHP 5.0.1
    cpe:2.3:a:php:php:5.0.1
  • PHP PHP 5.0.2
    cpe:2.3:a:php:php:5.0.2
  • PHP PHP 5.0.3
    cpe:2.3:a:php:php:5.0.3
  • PHP PHP 5.0.4
    cpe:2.3:a:php:php:5.0.4
  • PHP PHP 5.0.5
    cpe:2.3:a:php:php:5.0.5
  • PHP PHP 5.1.0
    cpe:2.3:a:php:php:5.1.0
  • PHP PHP 5.1.1
    cpe:2.3:a:php:php:5.1.1
  • PHP PHP 5.1.2
    cpe:2.3:a:php:php:5.1.2
  • PHP PHP 5.1.3
    cpe:2.3:a:php:php:5.1.3
  • PHP 5.1.4
    cpe:2.3:a:php:php:5.1.4
  • PHP PHP 5.1.5
    cpe:2.3:a:php:php:5.1.5
  • PHP PHP 5.1.6
    cpe:2.3:a:php:php:5.1.6
CVSS
Base: 3.6 (as of 12-09-2006 - 15:36)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL NONE
exploit-db via4
description PHP 3-5 Ini_Restore() Safe_Mode and Open_Basedir Restriction Bypass Vulnerability. CVE-2006-4625. Local exploit for php platform
id EDB-ID:28504
last seen 2016-02-03
modified 2006-09-09
published 2006-09-09
reporter Maksymilian Arciemowicz
source https://www.exploit-db.com/download/28504/
title PHP 3-5 Ini_Restore Safe_Mode and Open_Basedir Restriction Bypass Vulnerability
nessus via4
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2006-185.NASL
    description PHP 4.x up to 4.4.4 and PHP 5 up to 5.1.6 allows local users to bypass certain Apache HTTP Server httpd.conf options, such as safe_mode and open_basedir, via the ini_restore function, which resets the values to their php.ini (Master Value) defaults. (CVE-2006-4625) A race condition in the symlink function in PHP 5.1.6 and earlier allows local users to bypass the open_basedir restriction by using a combination of symlink, mkdir, and unlink functions to change the file path after the open_basedir check and before the file is opened by the underlying system, as demonstrated by symlinking a symlink into a subdirectory, to point to a parent directory via .. (dot dot) sequences, and then unlinking the resulting symlink. (CVE-2006-5178) Because the design flaw cannot be solved it is strongly recommended to disable the symlink() function if you are using the open_basedir feature. You can achieve that by adding symlink to the list of disabled functions within your php.ini: disable_functions=...,symlink The updated packages do not alter the system php.ini. Updated packages have been patched to correct the CVE-2006-4625 issue. Users must restart Apache for the changes to take effect.
    last seen 2019-02-21
    modified 2018-12-05
    plugin id 24570
    published 2007-02-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24570
    title Mandrake Linux Security Advisory : php (MDKSA-2006:185)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_APACHE2-MOD_PHP5-2153.NASL
    description The ini_restore() method could be exploited to reset options set in the webserver config to their default values (CVE-2006-4625). The memory handling routines contained an integer overflow (CVE-2006-4812).
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 27147
    published 2007-10-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27147
    title openSUSE 10 Security Update : apache2-mod_php5 (apache2-mod_php5-2153)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_APACHE2-MOD_PHP5-2152.NASL
    description The ini_restore() method could be exploited to reset options set in the webserver config to their default values. (CVE-2006-4625) The memory handling routines contained an integer overflow. (CVE-2006-4812)
    last seen 2019-02-21
    modified 2012-05-17
    plugin id 29375
    published 2007-12-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=29375
    title SuSE 10 Security Update : PHP (ZYPP Patch Number 2152)
  • NASL family CGI abuses
    NASL id PHP_4_4_5.NASL
    description According to its banner, the version of PHP installed on the remote host is older than 4.4.5. Such versions may be affected by several issues, including buffer overflows, format string vulnerabilities, arbitrary code execution, 'safe_mode' and 'open_basedir' bypasses, and clobbering of super-globals.
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 24906
    published 2007-04-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24906
    title PHP < 4.4.5 Multiple Vulnerabilities
  • NASL family CGI abuses
    NASL id PHP_5_2_0.NASL
    description According to its banner, the version of PHP 5.x installed on the remote host is older than 5.2. Such versions may be affected by several buffer overflows. To exploit these issues, an attacker would need the ability to upload an arbitrary PHP script on the remote server or to manipulate several variables processed by some PHP functions such as 'htmlentities().'
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 31649
    published 2008-03-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=31649
    title PHP 5.x < 5.2 Multiple Vulnerabilities
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-362-1.NASL
    description The stripos() function did not check for invalidly long or empty haystack strings. In an application that uses this function on arbitrary untrusted data this could be exploited to crash the PHP interpreter. (CVE-2006-4485) An integer overflow was discovered in the PHP memory allocation handling. On 64-bit platforms, the 'memory_limit' setting was not enforced correctly. A remote attacker could exploit this to cause a Denial of Service attack through memory exhaustion. (CVE-2006-4486) Maksymilian Arciemowicz discovered that security relevant configuration options like open_basedir and safe_mode (which can be configured in Apache's httpd.conf) could be bypassed and reset to their default value in php.ini by using the ini_restore() function. (CVE-2006-4625) Stefan Esser discovered that the ecalloc() function in the Zend engine did not check for integer overflows. This particularly affected the unserialize() function. In applications which unserialize untrusted user-defined data, this could be exploited to execute arbitrary code with the application's privileges. (CVE-2006-4812). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 27942
    published 2007-11-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27942
    title Ubuntu 5.04 / 5.10 / 6.06 LTS : php4, php5 vulnerabilities (USN-362-1)
packetstorm via4
data source https://packetstormsecurity.com/files/download/49918/phpBypass.txt
id PACKETSTORM:49918
last seen 2016-12-05
published 2006-09-13
reporter Maksymilian Arciemowicz
source https://packetstormsecurity.com/files/49918/phpBypass.txt.html
title phpBypass.txt
refmap via4
bid 19933
bugtraq
  • 20060909 Re: PHP 5.1.6 / 4.4.4 Critical php_admin* bypass by ini_restore()
  • 20060913 Re: PHP 5.1.6 / 4.4.4 Critical php_admin* bypass by ini_restore()
hp
  • HPSBMA02215
  • HPSBTU02232
  • SSRT071423
  • SSRT071429
mandriva MDKSA-2006:185
openpkg OpenPKG-SA-2006.023
secunia
  • 22282
  • 22331
  • 22338
  • 22424
  • 25423
  • 25850
sreason 1519
sreasonres 20060909 PHP 5.1.6 / 4.4.4 Critical php_admin* bypass by ini_restore()
suse SUSE-SA:2006:059
turbo TLSA-2006-38
ubuntu USN-362-1
vupen
  • ADV-2007-1991
  • ADV-2007-2374
xf php-inirestore-security-bypass(28853)
statements via4
contributor Mark J Cox
lastmodified 2006-09-20
organization Red Hat
statement We do not consider these to be security issues. For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php
Last major update 07-03-2011 - 21:41
Published 12-09-2006 - 12:07
Last modified 30-10-2018 - 12:25
Back to Top