To read part 1 of this article please refer to the previous post.

Note: a large number of vulnerabilities described in this post can be exploited to bypass safe_mode. It is not recommended to rely on this PHP functionality for the security of your web servers. Only use safe_mode as a supplement to PHP code that has been truly audited (with AcuSensor technology of course).

Not all vulnerabilities described are simply a safe_mode bypass. The IMAP toolkit crash is more than just a crash!

Incorrect php_value order for Apache configuration

This vulnerability affects sysadmins that rely on the safety features of safe_mode to protect their servers against users executing malicious php code on the server. This security flaw was reported by SecurityReason. In their advisory, SecurityReason show how it can be exploited by attackers who can modify the PHP configuration by editing the Apache configuration (httpd.conf) or .htaccess. In the case that error_log directive is already set to a php script, if the php script can be edited by the attacker, then the attacker can also bypass PHP’s safe_mode feature. This is a local exploit.

Fixed a crash inside gd with invalid fonts (CVE-2008-3658)

GD handles image processing in PHP. It can also be used to read font files through the imageloadfont() function. This particular function suffers from a buffer overflow which can be used to execute arbitrary code or cause a denial of service. This vulnerability would affect any PHP code that calls this function and supplies it with user defined font files (normally *.gdf files).

Fixed a possible overflow inside memnstr (CVE-2008-3659)

An attacker can execute arbitrary code if he or she can specify the delimiter in the explode() php function. Although usage of the explode() function is very common, it is not common behavior nor recommended to make use of user defined delimiters. Therefore most applications should not be vulnerable to this. However this vulnerability can be locally exploitable to bypass safe_mode restrictions.

Fixed security issues detailed in CVE-2008-2665 and CVE-2008-2666

CVE-2008-2665 detailed another vulnerability that can be used to bypass safe_mode. The vulnerability is a directory traversal issue in the PHP function posix_access() which allows one to check permissions of a file. CVE-2008-2666 describes an even more subtle bypass where chdir and ftok functions can allow access to files that should not be accessible through safe_mode if the directory starts with the string “http:”.

Crash with URI/file..php (filename contains 2 dots) (CVE-2008-3660)

If you are making use of FastCGI module then users accessing your webserver could cause a Denial of Service by simply supplying two or more dots in front of the php extension. This vulnerability could easily be triggered unintentionally so it is highly recommended to update if the web server is making us of FastCGI.

IMAP toolkit crash: rfc822.c legacy routine buffer overflow). (Fixes CVE-2008-2829)

PHP made use of old code written in 1988 which did not handle large buffers, thus leading to a classic buffer overflow. How can this be exploited? If you are making use of PHP code that reads messages from an IMAP server, then that code is exposed to a buffer overflow. By exploiting this security hole attackers can crash the HTTP server and execute arbitrary code and gain access to the server. Emails exploiting this vulnerability will typically consist of large address lists in the To or CC email header. This vulnerability is described in the PHP bug report and could easily be triggered unintentionally and intentionally if one is making use of PHP applications that use the PHP IMAP functionality such as TWIG.

When upgrading make sure that you go for version 5.2.8 (or greater) which was issued to fix a flaw that was introduced in version 5.2.7.