ID CVE-2009-3559
Summary ** DISPUTED ** main/streams/plain_wrapper.c in PHP 5.3.x before 5.3.1 does not recognize the safe_mode_include_dir directive, which allows context-dependent attackers to have an unknown impact by triggering the failure of PHP scripts that perform include or require operations, as demonstrated by a script that attempts to perform a require_once on a file in a standard library directory. NOTE: a reliable third party reports that this is not a vulnerability, because it results in a more restrictive security policy.
References
Vulnerable Configurations
  • cpe:2.3:a:php:php:5.3.0:*:*:*:*:*:*:*
    cpe:2.3:a:php:php:5.3.0:*:*:*:*:*:*:*
CVSS
Base: 7.5 (as of 01-04-2010 - 05:37)
Impact:
Exploitability:
CWE NVD-CWE-noinfo
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
assigner via4 cve@mitre.org
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:P/A:P
refmap via4
apple APPLE-SA-2010-03-29-1
confirm
mandriva MDVSA-2009:302
misc http://bugs.php.net/bug.php?id=50063
mlist
  • [oss-security] 20091120 CVE request: php 5.3.1 update
  • [oss-security] 20091120 Re: CVE request: php 5.3.1 update
  • [php-announce] 20091119 5.3.1 Release announcement
vulnerable_product via4 cpe:2.3:a:php:php:5.3.0:*:*:*:*:*:*:*
Last major update 01-04-2010 - 05:37
Published 23-11-2009 - 17:30
Back to Top