Description

PHP 5 before 5.2.7 does not properly initialize the page_uid and page_gid global variables for use by the SAPI php_getuid function, which allows context-dependent attackers to bypass safe_mode restrictions via variable settings that are intended to be restricted to root, as demonstrated by a setting of /etc for the error_log variable.

Remediation

References

CVE-2008-5624

Related Vulnerabilities

WordPress Plugin Auto Amazon Links-Amazon Associates Affiliate Cross-Site Scripting (4.6.19)

WordPress Plugin Two Way CHAT-Send or receive messages to your user Multiple Vulnerabilities (3.1.4)

WordPress Plugin DW Mega Menu Cross-Site Request Forgery (1.0.1)

WordPress Plugin Redirect 404 to parent Cross-Site Scripting (1.3.0)

Elgg Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2012-6561)

Severity

High

Classification

CVE-2008-5624 CWE-264

Tags

Missing Update Known Vulnerabilities