CVE-2006-3011
published 2006-06-26CVE-2006-3011: The error_log function in basic_functions.c in PHP before 4.4.4 and 5.x before 5.1.5 allows local users to bypass safe mode and open_basedir restrictions via a…
PriorityP418medium4.6CVSS 2.0
AVLACLAuNCPIPAP
EXPLOIT
EPSS
1.34%
67.8th percentile
The error_log function in basic_functions.c in PHP before 4.4.4 and 5.x before 5.1.5 allows local users to bypass safe mode and open_basedir restrictions via a "php://" or other scheme in the third argument, which disables safe mode.
Affected
66 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| php | php | <= 4.4.3 | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
CVSS provenance
nvdv2.04.6MEDIUMAV:L/AC:L/Au:N/C:P/I:P/A:P
vendor_redhat9.3CRITICAL
vendor_ubuntu4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-7mhv-mg92-qx3w: The error_log function in basic_functions
ghsa_unreviewed·2022-05-01
CVE-2006-3011 [MEDIUM] GHSA-7mhv-mg92-qx3w: The error_log function in basic_functions
The error_log function in basic_functions.c in PHP before 4.4.4 and 5.x before 5.1.5 allows local users to bypass safe mode and open_basedir restrictions via a "php://" or other scheme in the third argument, which disables safe mode.
GHSA
GHSA-mh5c-w8xj-c58r: The (1) file_exists and (2) imap_reopen functions in PHP before 5
ghsa_unreviewed·2022-05-01·CVSS 9.3
CVE-2006-4481 [CRITICAL] GHSA-mh5c-w8xj-c58r: The (1) file_exists and (2) imap_reopen functions in PHP before 5
The (1) file_exists and (2) imap_reopen functions in PHP before 5.1.5 do not check for the safe_mode and open_basedir settings, which allows local users to bypass the settings. NOTE: the error_log function is covered by CVE-2006-3011, and the imap_open function is covered by CVE-2006-1017.
Ubuntu
PHP vulnerabilities
vendor_ubuntu·2006-07-19·CVSS 4.3
CVE-2006-1494 [MEDIUM] PHP vulnerabilities
Title: PHP vulnerabilities
Summary: PHP vulnerabilities
The phpinfo() PHP function did not properly sanitize long strings. A
remote attacker could use this to perform cross-site scripting attacks
against sites that have publicly-available PHP scripts that call
phpinfo(). Please note that it is not recommended to publicly expose
phpinfo(). (CVE-2006-0996)
An information disclosure has been reported in the
html_entity_decode() function. A script which uses this function to
process arbitrary user-supplied input could be exploited to expose a
random part of memory, which could potentially reveal sensitive data.
(CVE-2006-1490)
The wordwrap() function did not sufficiently check the validity of the
'break' argument. An attacker who could control the string passed to
the 'break' parameter cou
Red Hat
CVE-2006-3011 multiple PHP safe mode bypasses (CVE-2006-4481, CVE-2006-2563)
vendor_redhat·2006-06-26·CVSS 2.1
CVE-2006-3011 [LOW] CVE-2006-3011 multiple PHP safe mode bypasses (CVE-2006-4481, CVE-2006-2563)
CVE-2006-3011 multiple PHP safe mode bypasses (CVE-2006-4481, CVE-2006-2563)
The error_log function in basic_functions.c in PHP before 4.4.4 and 5.x before 5.1.5 allows local users to bypass safe mode and open_basedir restrictions via a "php://" or other scheme in the third argument, which disables safe mode.
Statement: We do not consider these to be security issues. For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1
and http://www.php.net/security-note.php
Red Hat
CVE-2006-4481: The (1) file_exists and (2) imap_reopen functions in PHP before 5
vendor_redhat·CVSS 9.3
CVE-2006-4481 [CRITICAL] CVE-2006-4481: The (1) file_exists and (2) imap_reopen functions in PHP before 5
The (1) file_exists and (2) imap_reopen functions in PHP before 5.1.5 do not check for the safe_mode and open_basedir settings, which allows local users to bypass the settings. NOTE: the error_log function is covered by CVE-2006-3011, and the imap_open function is covered by CVE-2006-1017.
Statement: We do not consider these to be security issues. For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php
No detection rules found.
Exploit-DB
PHP 5.2.6 - 'error_log' Safe_mode Bypass
exploitdb·2008-11-20
CVE-2008-5625 PHP 5.2.6 - 'error_log' Safe_mode Bypass
PHP 5.2.6 - 'error_log' Safe_mode Bypass
---
[ SecurityReason.com PHP 5.2.6 (error_log) safe_mode bypass ]
Author: Maksymilian Arciemowicz (cXIb8O3)
securityreason.com
Date:
- - Written: 10.11.2008
- - Public: 20.11.2008
SecurityReason Research
SecurityAlert Id: 57
CWE: CWE-264
SecurityRisk: Medium
Affected Software: PHP 5.2.6
Advisory URL: http://securityreason.com/achievement_securityalert/57
Vendor: http://www.php.net
- --- 0.Description ---
PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl
with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web
developers to write dynamically generated pages quickly.
error_log
They allow you to define your own error handling rules, as well as modify the wa
Exploit-DB
CubeCart 3.0.11 - 'oid' Blind SQL Injection
exploitdb·2006-08-17
CVE-2006-4267 CubeCart 3.0.11 - 'oid' Blind SQL Injection
CubeCart 3.0.11 - 'oid' Blind SQL Injection
---
#!/usr/bin/php -q -d short_open_tag=on
this works against MySQL >=4.1 (allowing subs)
');
/* short explaination:
software site: http://www.cubecart.com/site/home/
same kind of sql injection of http://retrogod.altervista.org/cubecart_3011_sql.html
but this bypass magic_quotes_gpc=On because of base64_decode() function used in
/modules/gateway/Protx/confirmed.php used near lines:
...
if($success == TRUE){
$cart_order_id = base64_decode($_GET['oid']);
include_once("../../../includes/orderSuccess.inc.php");
$result = "?pg=".base64_encode("Protx");
} else {
...
*/
if ($argc 126 ))
{$result.=" .";}
else
{$result.=" ".$string[$i];}
if (strlen(dechex(ord($string[$i])))==2)
{$exa.=" ".dechex(ord($string[$i]));}
else
{$exa.=" 0".dechex(ord($stri
http://cvs.php.net/viewvc.cgi/php-src/ext/standard/basic_functions.c?diff_format=u&view=log&pathrev=PHP_4_4http://cvs.php.net/viewvc.cgi/php-src/ext/standard/basic_functions.c?r1=1.543.2.51.2.9&r2=1.543.2.51.2.10&pathrev=PHP_4_4&diff_format=uhttp://secunia.com/advisories/20818http://secunia.com/advisories/21050http://secunia.com/advisories/21125http://secunia.com/advisories/21546http://securityreason.com/achievement_securityalert/41http://securityreason.com/securityalert/1129http://securitytracker.com/id?1016377http://www.mandriva.com/security/advisories?name=MDKSA-2006:122http://www.osvdb.org/26827http://www.php.net/release_5_1_5.phphttp://www.securityfocus.com/bid/18645http://www.ubuntu.com/usn/usn-320-1http://www.vupen.com/english/advisories/2006/2523https://exchange.xforce.ibmcloud.com/vulnerabilities/27414http://cvs.php.net/viewvc.cgi/php-src/ext/standard/basic_functions.c?diff_format=u&view=log&pathrev=PHP_4_4http://cvs.php.net/viewvc.cgi/php-src/ext/standard/basic_functions.c?r1=1.543.2.51.2.9&r2=1.543.2.51.2.10&pathrev=PHP_4_4&diff_format=uhttp://secunia.com/advisories/20818http://secunia.com/advisories/21050http://secunia.com/advisories/21125http://secunia.com/advisories/21546http://securityreason.com/achievement_securityalert/41http://securityreason.com/securityalert/1129http://securitytracker.com/id?1016377http://www.mandriva.com/security/advisories?name=MDKSA-2006:122http://www.osvdb.org/26827http://www.php.net/release_5_1_5.phphttp://www.securityfocus.com/bid/18645http://www.ubuntu.com/usn/usn-320-1http://www.vupen.com/english/advisories/2006/2523https://exchange.xforce.ibmcloud.com/vulnerabilities/27414
2006-06-26
Published