The (1) session_save_path, (2) ini_set, and (3) error_log functions in PHP 4.4.7 and earlier, and PHP 5 5.2.3 and earlier, when invoked from a .htaccess file, allow remote attackers to bypass safe_mode and open_basedir restrictions and possibly execute arbitrary commands, as demonstrated using (a) php_value, (b) php_flag, and (c) directives in .htaccess.
References
Configurations
Information
Published : 2007-06-29 11:30
Updated : 2020-09-18 12:15
NVD link : CVE-2007-3378
Mitre link : CVE-2007-3378
JSON object : View
CWE
CWE-264
Permissions, Privileges, and Access Controls
Products Affected
php
- php