Acunetix DAST powers runtime capabilities for Invicti’s complete AppSec platform. Visit Invicti for more.

WEB APPLICATION VULNERABILITIES Standard & Premium

PHP Permissions, Privileges, and Access Controls Vulnerability (CVE-2009-4018)

Description

The proc_open function in ext/standard/proc_open.c in PHP before 5.2.11 and 5.3.x before 5.3.1 does not enforce the (1) safe_mode_allowed_env_vars and (2) safe_mode_protected_env_vars directives, which allows context-dependent attackers to execute programs with an arbitrary environment via the env parameter, as demonstrated by a crafted value of the LD_LIBRARY_PATH environment variable.

Remediation

References

Related Vulnerabilities

Drupal Core 8.x.x Directory Traversal (8.0.0 - 8.5.15)

WordPress Plugin WP Easy Columns Cross-Site Scripting (2.1.3)

Jboss EAP Uncontrolled Resource Consumption Vulnerability (CVE-2020-14384)

Oracle Database Server CVE-2014-6545 Vulnerability (CVE-2014-6545)

WordPress Plugin Catch Infinite Scroll Security Bypass (1.8.1)

Severity

High

Classification

CVE-2009-4018 CWE-264

Tags

Missing Update Known Vulnerabilities