CVE-2006-1494
published 2006-04-10CVE-2006-1494: Directory traversal vulnerability in file.c in PHP 4.4.2 and 5.1.2 allows local users to bypass open_basedir restrictions allows remote attackers to create…
PriorityP427low2.6CVSS 2.0
AVNACHAuNCNIPAN
EXPLOIT
EPSS
6.24%
92.7th percentile
Directory traversal vulnerability in file.c in PHP 4.4.2 and 5.1.2 allows local users to bypass open_basedir restrictions allows remote attackers to create files in arbitrary directories via the tempnam function.
Affected
46 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| php | php | <= 5.1.6 | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
CVSS provenance
nvdv2.02.6LOWAV:N/AC:H/Au:N/C:N/I:P/A:N
vendor_ubuntu4.3MEDIUM
vendor_redhat2.6LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
PHP vulnerabilities
vendor_ubuntu·2006-07-19·CVSS 4.3
CVE-2006-1494 [MEDIUM] PHP vulnerabilities
Title: PHP vulnerabilities
Summary: PHP vulnerabilities
The phpinfo() PHP function did not properly sanitize long strings. A
remote attacker could use this to perform cross-site scripting attacks
against sites that have publicly-available PHP scripts that call
phpinfo(). Please note that it is not recommended to publicly expose
phpinfo(). (CVE-2006-0996)
An information disclosure has been reported in the
html_entity_decode() function. A script which uses this function to
process arbitrary user-supplied input could be exploited to expose a
random part of memory, which could potentially reveal sensitive data.
(CVE-2006-1490)
The wordwrap() function did not sufficiently check the validity of the
'break' argument. An attacker who could control the string passed to
the 'break' parameter cou
Red Hat
security flaw
vendor_redhat·2006-04-08·CVSS 2.6
CVE-2006-1494 [LOW] security flaw
security flaw
Directory traversal vulnerability in file.c in PHP 4.4.2 and 5.1.2 allows local users to bypass open_basedir restrictions allows remote attackers to create files in arbitrary directories via the tempnam function.
Statement: This issue did not affect the versions of OpenSSH as distributed with Red Hat Enterprise Linux 2.1, 3, or 4.
Red Hat
CVE-2006-5706: Unspecified vulnerabilities in PHP, probably before 5
vendor_redhat·CVSS 2.6
CVE-2006-5706 [LOW] CVE-2006-5706: Unspecified vulnerabilities in PHP, probably before 5
Unspecified vulnerabilities in PHP, probably before 5.2.0, allow local users to bypass open_basedir restrictions and perform unspecified actions via unspecified vectors involving the (1) chdir and (2) tempnam functions. NOTE: the tempnam vector might overlap CVE-2006-1494.
Statement: We do not consider these to be security issues. For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php
GHSA
GHSA-4jq7-hvr2-qgmp: Directory traversal vulnerability in file
ghsa_unreviewed·2022-05-03
CVE-2006-1494 [LOW] GHSA-4jq7-hvr2-qgmp: Directory traversal vulnerability in file
Directory traversal vulnerability in file.c in PHP 4.4.2 and 5.1.2 allows local users to bypass open_basedir restrictions allows remote attackers to create files in arbitrary directories via the tempnam function.
GHSA
GHSA-g8jg-4ghm-qvfv: Unspecified vulnerabilities in PHP, probably before 5
ghsa_unreviewed·2022-05-01·CVSS 2.6
CVE-2006-5706 [LOW] GHSA-g8jg-4ghm-qvfv: Unspecified vulnerabilities in PHP, probably before 5
Unspecified vulnerabilities in PHP, probably before 5.2.0, allow local users to bypass open_basedir restrictions and perform unspecified actions via unspecified vectors involving the (1) chdir and (2) tempnam functions. NOTE: the tempnam vector might overlap CVE-2006-1494.
No detection rules found.
Bugzilla
CVE-2006-1494 security flaw
bugzilla·2018-08-16·CVSS 2.6
CVE-2006-1494 [LOW] CVE-2006-1494 security flaw
CVE-2006-1494 security flaw
Flaw bug created to hold information about an old flaw we knew something about. For more details see the MITRE CVE description.
Discussion:
MITRE description:
Directory traversal vulnerability in file.c in PHP 4.4.2 and 5.1.2 allows local users to bypass open_basedir restrictions allows remote attackers to create files in arbitrary directories via the tempnam function.
---
Statement:
This issue did not affect the versions of OpenSSH as distributed with Red Hat Enterprise Linux 2.1, 3, or 4.
Bugzilla
CVE-2006-1494 PHP tempname open_basedir issue
bugzilla·2006-07-03·CVSS 2.6
CVE-2006-1494 [LOW] CVE-2006-1494 PHP tempname open_basedir issue
CVE-2006-1494 PHP tempname open_basedir issue
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.
http://rhn.redhat.com/errata/RHSA-2006-0549.html
Bugzilla
CVE-2006-1494 PHP tempname open_basedir issue
bugzilla·2006-06-28·CVSS 2.6
CVE-2006-1494 [LOW] CVE-2006-1494 PHP tempname open_basedir issue
CVE-2006-1494 PHP tempname open_basedir issue
+++ This bug was initially created as a clone of Bug #189591 +++
PHP tempname open_basedir issue
http://securityreason.com/achievement_securityalert/36
tempname open_basedir issue. It's possible to break out of your
open_basedir restricted path.
We've fixed issues similar to this in the past, but did claim it's a
case of safe mode not being safe:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=147808
This issue also affects RHEL3
This issue also affects RHEL2.1
Discussion:
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below.
Bugzilla
CVE-2006-1494 PHP tempname open_basedir issue
bugzilla·2006-04-21·CVSS 2.6
CVE-2006-1494 [LOW] CVE-2006-1494 PHP tempname open_basedir issue
CVE-2006-1494 PHP tempname open_basedir issue
PHP tempname open_basedir issue
http://securityreason.com/achievement_securityalert/36
tempname open_basedir issue. It's possible to break out of your
open_basedir restricted path.
We've fixed issues similar to this in the past, but did claim it's a
case of safe mode not being safe:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=147808
This issue also affects RHEL3
This issue also affects RHEL2.1
Discussion:
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for y
Bugzilla
CVE-2006-1494 PHP tempname open_basedir issue
bugzilla·2006-04-21·CVSS 2.6
CVE-2006-1494 [LOW] CVE-2006-1494 PHP tempname open_basedir issue
CVE-2006-1494 PHP tempname open_basedir issue
PHP tempname open_basedir issue
http://securityreason.com/achievement_securityalert/36
tempname open_basedir issue. It's possible to break out of your
open_basedir restricted path.
We've fixed issues similar to this in the past, but did claim it's a
case of safe mode not being safe:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=147808
This issue also affects FC4
Discussion:
Fixed in FEDORA-2006-289.
Bugzilla
CVE-2006-1864 smbfs chroot issue
bugzilla·2006-04-19·CVSS 2.6
CVE-2006-1864 [LOW] CVE-2006-1864 smbfs chroot issue
CVE-2006-1864 smbfs chroot issue
When doing a chroot inside of a smb-mounted filesystem (smbfs), it appears that
you can break out of it using "cd ..\\" (2 backslashes).
[root@server me]# pwd
/path/to/my/dir
[root@server me]# ls
bin chroot etc lib
[root@server me]# chroot .
bash-2.05a# pwd
/
bash-2.05a# ls
bin chroot etc lib
bash-2.05a# cd ..\\
bash-2.05a# pwd
/..\
bash-2.05a# ls
Discussion:
With e.61, I can reproduce the strange looking current working directory, but I
can't seem to break out of the jail. I'll see what happens with the new kernel.
//127.0.0.1/tmp 32897536 6115840 26781696 19% /mnt/cdrom
.qa.[root@ia64-21as-bos cdrom]# cp -a /bin /etc/ /lib /tmp
.qa.[root@ia64-21as-bos cdrom]# ll
total 49
drwxr-xr-x 1 root root 16384 Jun 4 02:36 bin
drwxr-xr-x 1 root root 16384 Jul 1
ftp://patches.sgi.com/support/free/security/advisories/20060701-01-Uhttp://rhn.redhat.com/errata/RHSA-2006-0549.htmlhttp://secunia.com/advisories/19599http://secunia.com/advisories/19775http://secunia.com/advisories/19979http://secunia.com/advisories/21031http://secunia.com/advisories/21125http://secunia.com/advisories/21135http://secunia.com/advisories/21202http://secunia.com/advisories/21252http://secunia.com/advisories/21723http://secunia.com/advisories/22225http://securityreason.com/achievement_securityalert/36http://securityreason.com/securityalert/677http://securitytracker.com/id?1015881http://support.avaya.com/elmodocs2/security/ASA-2006-175.htmhttp://www.mandriva.com/security/advisories?name=MDKSA-2006:074http://www.novell.com/linux/security/advisories/05-05-2006.htmlhttp://www.redhat.com/support/errata/RHSA-2006-0567.htmlhttp://www.redhat.com/support/errata/RHSA-2006-0568.htmlhttp://www.securityfocus.com/archive/1/447866/100/0/threadedhttp://www.securityfocus.com/bid/17439http://www.ubuntu.com/usn/usn-320-1http://www.vupen.com/english/advisories/2006/1290https://exchange.xforce.ibmcloud.com/vulnerabilities/25705https://issues.rpath.com/browse/RPL-683https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10196ftp://patches.sgi.com/support/free/security/advisories/20060701-01-Uhttp://rhn.redhat.com/errata/RHSA-2006-0549.htmlhttp://secunia.com/advisories/19599http://secunia.com/advisories/19775http://secunia.com/advisories/19979http://secunia.com/advisories/21031http://secunia.com/advisories/21125http://secunia.com/advisories/21135http://secunia.com/advisories/21202http://secunia.com/advisories/21252http://secunia.com/advisories/21723http://secunia.com/advisories/22225http://securityreason.com/achievement_securityalert/36http://securityreason.com/securityalert/677http://securitytracker.com/id?1015881http://support.avaya.com/elmodocs2/security/ASA-2006-175.htmhttp://www.mandriva.com/security/advisories?name=MDKSA-2006:074http://www.novell.com/linux/security/advisories/05-05-2006.htmlhttp://www.redhat.com/support/errata/RHSA-2006-0567.htmlhttp://www.redhat.com/support/errata/RHSA-2006-0568.htmlhttp://www.securityfocus.com/archive/1/447866/100/0/threadedhttp://www.securityfocus.com/bid/17439http://www.ubuntu.com/usn/usn-320-1http://www.vupen.com/english/advisories/2006/1290https://exchange.xforce.ibmcloud.com/vulnerabilities/25705https://issues.rpath.com/browse/RPL-683https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10196
2006-04-10
Published