Date: Fri, 27 Nov 2009 15:42:25 +0200 From: Milen Rangelov <mrangelov@...bul.bg> To: oss-security@...ts.openwall.com Subject: Re: CVE request: php 5.3.1 - proc_open() bypass PHP Bug #49026 [was: Re: CVE request: php 5.3.1 update] Hello, >CVE-2009-4018 >PHP before 5.3.1 proc_open() can be used to bypass the >safe_mode_protected_env_vars INI setting. This could be used to alter the >process environment possibly executing arbitrary code. > > >http://www.php.net/ChangeLog-5.php#5.3.1 >http://bugs.php.net/bug.php?id=49026 >http://marc.info/?l=oss-security&m=125897935330618&w=2 > >Thanks. > >-- > JB Great to see an almost one-year-old bug getting fixed (and assigned a CVE ID for that matter). It was reported back in 2008 but apparently noone took care: http://www.securityfocus.com/bid/32717/info Regards, Milen Rangelov
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.