CVE-2007-5424 - The disable_functions feature in PHP 4 and 5 allows attackers to bypass intended restrictions by usi

CVE-2007-5424

Summary

The disable_functions feature in PHP 4 and 5 allows attackers to bypass intended restrictions by using an alias, as demonstrated by using ini_alter when ini_set is disabled.

References

Vulnerable Configurations

cpe:2.3:a:php:php:4.0:*:*:*:*:*:*:*
cpe:2.3:a:php:php:4.0:*:*:*:*:*:*:*
cpe:2.3:a:php:php:5.0.0:*:*:*:*:*:*:*
cpe:2.3:a:php:php:5.0.0:*:*:*:*:*:*:*

CVSS

Base:	7.5 (as of 15-10-2018 - 21:44)
Impact:
Exploitability:

CWE

NVD-CWE-Other

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:N/AC:L/Au:N/C:P/I:P/A:P

refmap via4

bugtraq	20071010 Vulnerabilities digest
misc	http://securityvulns.com/news/PHP/alias-pb.html http://securityvulns.ru/Sdocument67.html
sreason	3216

statements via4

contributor	Mark J Cox
lastmodified	2007-10-16
organization	Red Hat
statement	Red Hat does not consider this to be a security issue. The function behaves as documented. Furthermore, the function shouldn’t be considered a security feature, for reasons described at https://bugzilla.redhat.com/show_bug.cgi?id=332451#c3 and http://www.php.net/security-note.php

Last major update

15-10-2018 - 21:44

Published

12-10-2007 - 23:17

Last modified

15-10-2018 - 21:44