[php-maint] Bug#391281: CVE-2006-5178: yet another open_basedir bug

Stefan Fritsch sf at sfritsch.de
Sat Oct 14 15:33:20 CEST 2006


Race condition in the symlink function in PHP 5.1.6 and earlier allows
local users to bypass the open_basedir restriction by using a
combination of symlink, mkdir, and unlink functions to change the file
path after the open_basedir check and before the file is opened by the
underlying system, as demonstrated by symlinking a symlink into a
subdirectory, to point to a parent directory via .. (dot dot)
sequences, and then unlinking the resulting symlink.

More information about the pkg-php-maint mailing list