USN-207-1: PHP vulnerability

17 October 2005

php4 vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 5.04
  • Ubuntu 4.10

Software Description

Details

A bug has been found in the handling of the open_basedir directive handling. Contrary to the specification, the value of open_basedir was handled as a prefix instead of a proper directory name even if it was terminated by a slash (‘/’). For example, this allowed PHP scripts to access the directory /home/user10 when open_basedir was configured to ‘/home/user1/’.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 5.04
libapache-mod-php4
libapache2-mod-php4
Ubuntu 4.10
libapache-mod-php4
libapache2-mod-php4

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

References