PHP vulnerability allows settings to be bypassed
A vulnerability in the current version of PHP allows attackers to bypass security settings. The problem can arise if PHP is used as an Apache module, which is often the case in shared hosting environments.
System settings set with php_admin_value from php.ini cannot usually be overwritten by Apache configuration files such as .htaccess. If PHP is running as an Apache module, however, the administrator can set values in the Apache configuration which differ from those in php.ini. In the current PHP versions, 5.1.6 and 4.4.4, and possibly also in older versions, attackers can, thanks to an error, restore the variable values from php.ini using the ini_restore() function.
A very common PHP configuration at shared hosting businesses sets the standard value for safe_mode to off and for open_basedir to no value in php.ini The correct values are usually set during Apache configuration for the virtual hosts. This vulnerability opens the floodgates for malware which can penetrate the system via vulnerabilities in PHP scripts and cause extensive damage to a system.
According to the vulnerability's discoverer, Maksymilian Arciemowicz, the error has already been remedied in the PHP source for the version control system. Whether or not a corrected PHP version will be released is not yet clear.
- PHP 5.1.6 / 4.4.4 Critical php_admin* bypass by ini_restore(), security bulletin by Maksymilian Arciemowicz
(ehe)