hi, in php 5.3.1 security changelog, we can read, that safe_mode bypass in tempnam() has been already fixed. But safe_mode in 5.3 line is deprecated. We can understand security fix for open_basedir bypass, but not for safe_mode in 5.3. Annoying is the fact, that exploit for bypass open_basedir or safe_mode in php 5.3.1 is avaliable in http://securityreason.com/achievement_exploitalert/14 we can use symlink trick like in http://securityreason.com/achievement_securityalert/70 The issue has been reported to PHP, but did not obtain a meaningful response. Very similar issue has been reproted in October 2006 by Stefan Esser (SREASON:1692) http://securityreason.com/securityalert/1692 This issue has been fixed. Small difference, with this is that we need create fake directories structure. -- Best Regards, ------------------------ pub 1024D/A6986BD6 2008-08-22 uid Maksymilian Arciemowicz (cxib) <cxib@xxxxxxxxxxxxxxxxxx> sub 4096g/0889FA9A 2008-08-22 http://securityreason.com http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/