CVE-2010-1129 - OpenCVE

The safe_mode implementation in PHP before 5.2.13 does not properly handle directory pathnames that lack a trailing / (slash) character, which allows context-dependent attackers to bypass intended access restrictions via vectors related to use of the tempnam function.

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Php	Php

Configuration 1 [-]

OR	cpe:2.3:a:php:php:5.2.0:::::::*
	cpe:2.3:a:php:php:5.2.1:::::::*
	cpe:2.3:a:php:php:5.2.2:::::::*
	cpe:2.3:a:php:php:5.2.3:::::::*
	cpe:2.3:a:php:php:5.2.4:::::::*
	cpe:2.3:a:php:php:5.2.5:::::::*
	cpe:2.3:a:php:php:5.2.6:::::::*
	cpe:2.3:a:php:php:5.2.7:::::::*
	cpe:2.3:a:php:php:5.2.8:::::::*
	cpe:2.3:a:php:php:5.2.9:::::::*
	cpe:2.3:a:php:php:5.2.10:::::::*
	cpe:2.3:a:php:php:5.2.11:::::::*
	cpe:2.3:a:php:php:5.2.12:::::::*

References

Link	Resource
http://itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02286083
http://lists.apple.com/archives/security-announce/2010//Aug/msg00003.html
http://secunia.com/advisories/38708	Vendor Advisory
http://secunia.com/advisories/40551
http://securitytracker.com/id?1023661
http://support.apple.com/kb/HT4312
http://www.php.net/ChangeLog-5.php
http://www.php.net/releases/5_2_13.php	Patch
http://www.securityfocus.com/bid/38431
http://www.vupen.com/english/advisories/2010/0479	Vendor Advisory
http://www.vupen.com/english/advisories/2010/1796

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2010-03-26T20:00:00

Updated: 2010-07-16T09:00:00

Reserved: 2010-03-26T00:00:00

Link: CVE-2010-1129

JSON object: View

NVD Information

Status : Modified

Published: 2010-03-26T20:30:00.907

Modified: 2010-08-31T05:42:58.773

Link: CVE-2010-1129

JSON object: View

Redhat Information

No data.

CWE

CWE-20

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2010-02-25T00:00:00", "descriptions": [{"lang": "en", "value": "The safe_mode implementation in PHP before 5.2.13 does not properly handle directory pathnames that lack a trailing / (slash) character, which allows context-dependent attackers to bypass intended access restrictions via vectors related to use of the tempnam function."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2010-07-16T09:00:00", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "SSRT100018", "tags": ["vendor-advisory", "x_refsource_HP"], "url": "http://itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02286083"}, {"name": "ADV-2010-0479", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2010/0479"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.php.net/releases/5_2_13.php"}, {"name": "HPSBMA02554", "tags": ["vendor-advisory", "x_refsource_HP"], "url": "http://itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02286083"}, {"name": "40551", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/40551"}, {"name": "APPLE-SA-2010-08-24-1", "tags": ["vendor-advisory", "x_refsource_APPLE"], "url": "http://lists.apple.com/archives/security-announce/2010//Aug/msg00003.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.php.net/ChangeLog-5.php"}, {"name": "38708", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/38708"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://support.apple.com/kb/HT4312"}, {"name": "1023661", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://securitytracker.com/id?1023661"}, {"name": "ADV-2010-1796", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2010/1796"}, {"name": "38431", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/38431"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2010-1129", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The safe_mode implementation in PHP before 5.2.13 does not properly handle directory pathnames that lack a trailing / (slash) character, which allows context-dependent attackers to bypass intended access restrictions via vectors related to use of the tempnam function."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "SSRT100018", "refsource": "HP", "url": "http://itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02286083"}, {"name": "ADV-2010-0479", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2010/0479"}, {"name": "http://www.php.net/releases/5_2_13.php", "refsource": "CONFIRM", "url": "http://www.php.net/releases/5_2_13.php"}, {"name": "HPSBMA02554", "refsource": "HP", "url": "http://itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02286083"}, {"name": "40551", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/40551"}, {"name": "APPLE-SA-2010-08-24-1", "refsource": "APPLE", "url": "http://lists.apple.com/archives/security-announce/2010//Aug/msg00003.html"}, {"name": "http://www.php.net/ChangeLog-5.php", "refsource": "CONFIRM", "url": "http://www.php.net/ChangeLog-5.php"}, {"name": "38708", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/38708"}, {"name": "http://support.apple.com/kb/HT4312", "refsource": "CONFIRM", "url": "http://support.apple.com/kb/HT4312"}, {"name": "1023661", "refsource": "SECTRACK", "url": "http://securitytracker.com/id?1023661"}, {"name": "ADV-2010-1796", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2010/1796"}, {"name": "38431", "refsource": "BID", "url": "http://www.securityfocus.com/bid/38431"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2010-1129", "datePublished": "2010-03-26T20:00:00", "dateReserved": "2010-03-26T00:00:00", "dateUpdated": "2010-07-16T09:00:00", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:php:php:5.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "CD02D837-FD28-4E0F-93F8-25E8D1C84A99", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:5.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "88358D1E-BE6F-4CE3-A522-83D1FA4739E3", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:5.2.2:*:*:*:*:*:*:*", "matchCriteriaId": "D8B97B03-7DA7-4A5F-89B4-E78CAB20DE17", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:5.2.3:*:*:*:*:*:*:*", "matchCriteriaId": "86767200-6C9C-4C3E-B111-0E5BE61E197B", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:5.2.4:*:*:*:*:*:*:*", "matchCriteriaId": "B00B416D-FF23-4C76-8751-26D305F0FA0F", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:5.2.5:*:*:*:*:*:*:*", "matchCriteriaId": "CCB6CDDD-70D3-4004-BCE0-8C4723076103", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:5.2.6:*:*:*:*:*:*:*", "matchCriteriaId": "A782CA26-9C38-40A8-92AE-D47B14D2FCE3", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:5.2.7:*:*:*:*:*:*:*", "matchCriteriaId": "1C0E7E2A-4770-4B68-B74C-5F5A6E1876DC", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:5.2.8:*:*:*:*:*:*:*", "matchCriteriaId": "0892C89E-9389-4452-B7E0-981A763CD426", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:5.2.9:*:*:*:*:*:*:*", "matchCriteriaId": "635F3CB1-B042-43CC-91AB-746098018D8C", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:5.2.10:*:*:*:*:*:*:*", "matchCriteriaId": "E1F32DDF-17A3-45B5-9227-833EBEBD3923", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:5.2.11:*:*:*:*:*:*:*", "matchCriteriaId": "2CDFB7E9-8510-430F-BFBC-FD811D60DC78", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:5.2.12:*:*:*:*:*:*:*", "matchCriteriaId": "79D5336A-14AA-483E-9CBE-A7B53120B925", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The safe_mode implementation in PHP before 5.2.13 does not properly handle directory pathnames that lack a trailing / (slash) character, which allows context-dependent attackers to bypass intended access restrictions via vectors related to use of the tempnam function."}, {"lang": "es", "value": "La implementaci\u00f3n de safe_mode en PHP anteriores a v5.2.13 no manejan de forma adecuada las rutas de los nombres de directorios que no tienen un car\u00e1cter \"/\" (barra), lo que permite a usuarios dependiendo del contexto saltarse las restricciones de intentos de acceso a trav\u00e9s de vectores relativos al uso de la funci\u00f3n tempsam."}], "id": "CVE-2010-1129", "lastModified": "2010-08-31T05:42:58.773", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2010-03-26T20:30:00.907", "references": [{"source": "cve@mitre.org", "url": "http://itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02286083"}, {"source": "cve@mitre.org", "url": "http://lists.apple.com/archives/security-announce/2010//Aug/msg00003.html"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/38708"}, {"source": "cve@mitre.org", "url": "http://secunia.com/advisories/40551"}, {"source": "cve@mitre.org", "url": "http://securitytracker.com/id?1023661"}, {"source": "cve@mitre.org", "url": "http://support.apple.com/kb/HT4312"}, {"source": "cve@mitre.org", "url": "http://www.php.net/ChangeLog-5.php"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "http://www.php.net/releases/5_2_13.php"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/38431"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://www.vupen.com/english/advisories/2010/0479"}, {"source": "cve@mitre.org", "url": "http://www.vupen.com/english/advisories/2010/1796"}], "sourceIdentifier": "cve@mitre.org", "vendorComments": [{"comment": "We do not consider safe_mode / open_basedir restriction bypass issues being security sensitive. For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php", "lastModified": "2010-03-27T00:00:00", "organization": "Red Hat"}], "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}]}