CVE-2008-5625

Publication date 17 December 2008

Last updated 24 July 2024

PHP 5 before 5.2.7 does not enforce the error_log safe_mode restrictions when safe_mode is enabled through a php_admin_flag setting in httpd.conf, which allows context-dependent attackers to write to arbitrary files by placing a “php_value error_log” entry in a .htaccess file.

Status

Show unmaintained releases

No maintained releases are affected by this CVE.

Package	Ubuntu Release	Status
php5	8.10 intrepid	Fixed 5.2.6-2ubuntu4.1
	8.04 LTS hardy	Fixed 5.2.4-2ubuntu5.5
	7.10 gutsy	Fixed 5.2.3-1ubuntu6.5
	6.06 LTS dapper	Fixed 5.1.2-1ubuntu3.13

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
php5	Upstream: http://cvs.php.net/viewvc.cgi/php-src/sapi/apache/mod_php5.c?hideattic=0&r1=1.19.2.7.2.14&r2=1.19.2.7.2.15 Upstream: http://cvs.php.net/viewvc.cgi/php-src/sapi/apache2handler/apache_config.c?hideattic=0&r1=1.7.2.1.2.5&r2=1.7.2.1.2.6

References

Related Ubuntu Security Notices (USN)

USN-720-1
PHP vulnerabilities
12 February 2009

CVE-2008-5625

Status

Patch details

References

Related Ubuntu Security Notices (USN)

Other references