Your submission was sent successfully! Close

CVE-2008-5625

Published: 17 December 2008

PHP 5 before 5.2.7 does not enforce the error_log safe_mode restrictions when safe_mode is enabled through a php_admin_flag setting in httpd.conf, which allows context-dependent attackers to write to arbitrary files by placing a "php_value error_log" entry in a .htaccess file.

Priority

Low

Status

Package Release Status
php5
Launchpad, Ubuntu, Debian
dapper
Released (5.1.2-1ubuntu3.13)
gutsy
Released (5.2.3-1ubuntu6.5)
hardy
Released (5.2.4-2ubuntu5.5)
intrepid
Released (5.2.6-2ubuntu4.1)
upstream
Released (5.2.7)
Patches:
upstream: http://cvs.php.net/viewvc.cgi/php-src/sapi/apache/mod_php5.c?hideattic=0&r1=1.19.2.7.2.14&r2=1.19.2.7.2.15
upstream: http://cvs.php.net/viewvc.cgi/php-src/sapi/apache2handler/apache_config.c?hideattic=0&r1=1.7.2.1.2.5&r2=1.7.2.1.2.6