CVE-2008-5625

Published: 17 December 2008

PHP 5 before 5.2.7 does not enforce the error_log safe_mode restrictions when safe_mode is enabled through a php_admin_flag setting in httpd.conf, which allows context-dependent attackers to write to arbitrary files by placing a "php_value error_log" entry in a .htaccess file.

Priority

Status

Package	Release	Status
php5 Launchpad, Ubuntu, Debian	dapper	Released (5.1.2-1ubuntu3.13)
	gutsy	Released (5.2.3-1ubuntu6.5)
	hardy	Released (5.2.4-2ubuntu5.5)
	intrepid	Released (5.2.6-2ubuntu4.1)
	upstream	Released (5.2.7)
	Patches: upstream: http://cvs.php.net/viewvc.cgi/php-src/sapi/apache/mod_php5.c?hideattic=0&r1=1.19.2.7.2.14&r2=1.19.2.7.2.15 upstream: http://cvs.php.net/viewvc.cgi/php-src/sapi/apache2handler/apache_config.c?hideattic=0&r1=1.7.2.1.2.5&r2=1.7.2.1.2.6

References

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›

CVE-2008-5625

Priority

Status

References

Join the discussion

Canonical is offering Expanded Security Maintenance

Further reading