CVE-2009-3559 - main/streams/plain_wrapper.c in PHP 5.3.x before 5.3.1 does not recognize the safe_mode_include_dir

CVE-2009-3559

Summary

main/streams/plain_wrapper.c in PHP 5.3.x before 5.3.1 does not recognize the safe_mode_include_dir directive, which allows context-dependent attackers to have an unknown impact by triggering the failure of PHP scripts that perform include or require operations, as demonstrated by a script that attempts to perform a require_once on a file in a standard library directory. NOTE: a reliable third party reports that this is not a vulnerability, because it results in a more restrictive security policy.

References

Vulnerable Configurations

cpe:2.3:a:php:php:5.3.0:*:*:*:*:*:*:*
cpe:2.3:a:php:php:5.3.0:*:*:*:*:*:*:*

CVSS

Base:	7.5 (as of 11-04-2024 - 00:45)
Impact:
Exploitability:

CWE

NVD-CWE-noinfo

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:N/AC:L/Au:N/C:P/I:P/A:P

refmap via4

apple	APPLE-SA-2010-03-29-1
confirm	http://support.apple.com/kb/HT4077 http://www.php.net/ChangeLog-5.php http://www.php.net/releases/5_3_1.php
mandriva	MDVSA-2009:302
misc	http://bugs.php.net/bug.php?id=50063
mlist	[oss-security] 20091120 CVE request: php 5.3.1 update [oss-security] 20091120 Re: CVE request: php 5.3.1 update [php-announce] 20091119 5.3.1 Release announcement

Last major update

11-04-2024 - 00:45

Published

23-11-2009 - 17:30

Last modified

11-04-2024 - 00:45