[php-maint] Bug#354685: PHP4 in Sarge may be vulnerable to CVE-2005-3054

Nick Jenkins nickpj at gmail.com
Tue Feb 28 04:30:46 UTC 2006

Package: php4
Version: 4:4.3.10-16
Severity: normal
Tags: security


  An issue with trailing slashes in allowed basedirs.
  fopen_wrappers.c in PHP 4.4.0, and possibly other versions, does not properly
 restrict access to other directories when the open_basedir directive includes
  a trailing slash, which allows PHP scripts in one directory to access files in
  other directories whose names are substrings of the original directory.

Vulnerable PHP versions:
  PHP 4.3.10 appears vulnerable according to advisories on

More information about the pkg-php-maint mailing list