Mandrake Linux Security Advisory : php (MDKSA-2006:185)

This script is Copyright (C) 2007-2015 Tenable Network Security, Inc.


Synopsis :

The remote Mandrake Linux host is missing one or more security
updates.

Description :

PHP 4.x up to 4.4.4 and PHP 5 up to 5.1.6 allows local users to bypass
certain Apache HTTP Server httpd.conf options, such as safe_mode and
open_basedir, via the ini_restore function, which resets the values to
their php.ini (Master Value) defaults. (CVE-2006-4625)

A race condition in the symlink function in PHP 5.1.6 and earlier
allows local users to bypass the open_basedir restriction by using a
combination of symlink, mkdir, and unlink functions to change the file
path after the open_basedir check and before the file is opened by the
underlying system, as demonstrated by symlinking a symlink into a
subdirectory, to point to a parent directory via .. (dot dot)
sequences, and then unlinking the resulting symlink. (CVE-2006-5178)

Because the design flaw cannot be solved it is strongly recommended to
disable the symlink() function if you are using the open_basedir
feature. You can achieve that by adding symlink to the list of
disabled functions within your php.ini: disable_functions=...,symlink

The updated packages do not alter the system php.ini.

Updated packages have been patched to correct the CVE-2006-4625 issue.
Users must restart Apache for the changes to take effect.

Solution :

Update the affected packages.

Risk factor :

Medium / CVSS Base Score : 6.2
(CVSS2#AV:L/AC:H/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 5.4
(CVSS2#E:ND/RL:OF/RC:ND)
Public Exploit Available : true

Family: Mandriva Local Security Checks

Nessus Plugin ID: 24570 (mandrake_MDKSA-2006-185.nasl)

Bugtraq ID: 19933

CVE ID: CVE-2006-4625
CVE-2006-5178

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now