CVE-2008-5625
Published: 17 December 2008
PHP 5 before 5.2.7 does not enforce the error_log safe_mode restrictions when safe_mode is enabled through a php_admin_flag setting in httpd.conf, which allows context-dependent attackers to write to arbitrary files by placing a "php_value error_log" entry in a .htaccess file.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
php5 Launchpad, Ubuntu, Debian |
upstream |
Released
(5.2.7)
|
| dapper |
Released
(5.1.2-1ubuntu3.13)
|
|
| gutsy |
Released
(5.2.3-1ubuntu6.5)
|
|
| hardy |
Released
(5.2.4-2ubuntu5.5)
|
|
| intrepid |
Released
(5.2.6-2ubuntu4.1)
|
|
|
Patches: upstream: http://cvs.php.net/viewvc.cgi/php-src/sapi/apache/mod_php5.c?hideattic=0&r1=1.19.2.7.2.14&r2=1.19.2.7.2.15 upstream: http://cvs.php.net/viewvc.cgi/php-src/sapi/apache2handler/apache_config.c?hideattic=0&r1=1.7.2.1.2.5&r2=1.7.2.1.2.6 |
||