CVE-2009-4018 | Vulnerability Database | Aqua Security

The proc_open function in ext/standard/proc_open.c in PHP before 5.2.11 and 5.3.x before 5.3.1 does not enforce the (1) safe_mode_allowed_env_vars and (2) safe_mode_protected_env_vars directives, which allows context-dependent attackers to execute programs with an arbitrary environment via the env parameter, as demonstrated by a crafted value of the LD_LIBRARY_PATH environment variable.

Affected Software

Name	Vendor	Start Version	End Version
Php	Php	*	5.2.10 (including)
Php	Php	1.0 (including)	1.0 (including)
Php	Php	2.0 (including)	2.0 (including)
Php	Php	2.0b10 (including)	2.0b10 (including)
Php	Php	3.0 (including)	3.0 (including)
Php	Php	3.0.1 (including)	3.0.1 (including)
Php	Php	3.0.2 (including)	3.0.2 (including)
Php	Php	3.0.3 (including)	3.0.3 (including)
Php	Php	3.0.4 (including)	3.0.4 (including)
Php	Php	3.0.5 (including)	3.0.5 (including)
Php	Php	3.0.6 (including)	3.0.6 (including)
Php	Php	3.0.7 (including)	3.0.7 (including)
Php	Php	3.0.8 (including)	3.0.8 (including)
Php	Php	3.0.9 (including)	3.0.9 (including)
Php	Php	3.0.10 (including)	3.0.10 (including)
Php	Php	3.0.11 (including)	3.0.11 (including)
Php	Php	3.0.12 (including)	3.0.12 (including)
Php	Php	3.0.13 (including)	3.0.13 (including)
Php	Php	3.0.14 (including)	3.0.14 (including)
Php	Php	3.0.15 (including)	3.0.15 (including)
Php	Php	3.0.16 (including)	3.0.16 (including)
Php	Php	3.0.17 (including)	3.0.17 (including)
Php	Php	3.0.18 (including)	3.0.18 (including)
Php	Php	4 (including)	4 (including)
Php	Php	4.0 (including)	4.0 (including)
Php	Php	4.0-beta_4_patch1 (including)	4.0-beta_4_patch1 (including)
Php	Php	4.0-beta1 (including)	4.0-beta1 (including)
Php	Php	4.0-beta2 (including)	4.0-beta2 (including)
Php	Php	4.0-beta3 (including)	4.0-beta3 (including)
Php	Php	4.0-beta4 (including)	4.0-beta4 (including)
Php	Php	4.0-rc1 (including)	4.0-rc1 (including)
Php	Php	4.0-rc2 (including)	4.0-rc2 (including)
Php	Php	4.0.0 (including)	4.0.0 (including)
Php	Php	4.0.1 (including)	4.0.1 (including)
Php	Php	4.0.1-patch1 (including)	4.0.1-patch1 (including)
Php	Php	4.0.1-patch2 (including)	4.0.1-patch2 (including)
Php	Php	4.0.2 (including)	4.0.2 (including)
Php	Php	4.0.3 (including)	4.0.3 (including)
Php	Php	4.0.3-patch1 (including)	4.0.3-patch1 (including)
Php	Php	4.0.4 (including)	4.0.4 (including)
Php	Php	4.0.4-patch1 (including)	4.0.4-patch1 (including)
Php	Php	4.0.5 (including)	4.0.5 (including)
Php	Php	4.0.6 (including)	4.0.6 (including)
Php	Php	4.0.7 (including)	4.0.7 (including)
Php	Php	4.0.7-rc1 (including)	4.0.7-rc1 (including)
Php	Php	4.0.7-rc2 (including)	4.0.7-rc2 (including)
Php	Php	4.0.7-rc3 (including)	4.0.7-rc3 (including)
Php	Php	4.0.7-rc4 (including)	4.0.7-rc4 (including)
Php	Php	4.1.0 (including)	4.1.0 (including)
Php	Php	4.1.1 (including)	4.1.1 (including)
Php	Php	4.1.2 (including)	4.1.2 (including)
Php	Php	4.2 (including)	4.2 (including)
Php	Php	4.2.0 (including)	4.2.0 (including)
Php	Php	4.2.1 (including)	4.2.1 (including)
Php	Php	4.2.2 (including)	4.2.2 (including)
Php	Php	4.2.3 (including)	4.2.3 (including)
Php	Php	4.3.0 (including)	4.3.0 (including)
Php	Php	4.3.1 (including)	4.3.1 (including)
Php	Php	4.3.2 (including)	4.3.2 (including)
Php	Php	4.3.3 (including)	4.3.3 (including)
Php	Php	4.3.4 (including)	4.3.4 (including)
Php	Php	4.3.5 (including)	4.3.5 (including)
Php	Php	4.3.6 (including)	4.3.6 (including)
Php	Php	4.3.7 (including)	4.3.7 (including)
Php	Php	4.3.8 (including)	4.3.8 (including)
Php	Php	4.3.9 (including)	4.3.9 (including)
Php	Php	4.3.10 (including)	4.3.10 (including)
Php	Php	4.3.11 (including)	4.3.11 (including)
Php	Php	4.4.0 (including)	4.4.0 (including)
Php	Php	4.4.1 (including)	4.4.1 (including)
Php	Php	4.4.2 (including)	4.4.2 (including)
Php	Php	4.4.3 (including)	4.4.3 (including)
Php	Php	4.4.4 (including)	4.4.4 (including)
Php	Php	4.4.5 (including)	4.4.5 (including)
Php	Php	4.4.6 (including)	4.4.6 (including)
Php	Php	4.4.7 (including)	4.4.7 (including)
Php	Php	4.4.8 (including)	4.4.8 (including)
Php	Php	4.4.9 (including)	4.4.9 (including)
Php	Php	5 (including)	5 (including)
Php	Php	5.0-rc1 (including)	5.0-rc1 (including)
Php	Php	5.0-rc2 (including)	5.0-rc2 (including)
Php	Php	5.0-rc3 (including)	5.0-rc3 (including)
Php	Php	5.0.0 (including)	5.0.0 (including)
Php	Php	5.0.0-beta1 (including)	5.0.0-beta1 (including)
Php	Php	5.0.0-beta2 (including)	5.0.0-beta2 (including)
Php	Php	5.0.0-beta3 (including)	5.0.0-beta3 (including)
Php	Php	5.0.0-beta4 (including)	5.0.0-beta4 (including)
Php	Php	5.0.0-rc1 (including)	5.0.0-rc1 (including)
Php	Php	5.0.0-rc2 (including)	5.0.0-rc2 (including)
Php	Php	5.0.0-rc3 (including)	5.0.0-rc3 (including)
Php	Php	5.0.1 (including)	5.0.1 (including)
Php	Php	5.0.2 (including)	5.0.2 (including)
Php	Php	5.0.3 (including)	5.0.3 (including)
Php	Php	5.0.4 (including)	5.0.4 (including)
Php	Php	5.0.5 (including)	5.0.5 (including)
Php	Php	5.1.0 (including)	5.1.0 (including)
Php	Php	5.1.1 (including)	5.1.1 (including)
Php	Php	5.1.2 (including)	5.1.2 (including)
Php	Php	5.1.3 (including)	5.1.3 (including)
Php	Php	5.1.4 (including)	5.1.4 (including)
Php	Php	5.1.5 (including)	5.1.5 (including)
Php	Php	5.1.6 (including)	5.1.6 (including)
Php	Php	5.2.0 (including)	5.2.0 (including)
Php	Php	5.2.2 (including)	5.2.2 (including)
Php	Php	5.2.4 (including)	5.2.4 (including)
Php	Php	5.2.6 (including)	5.2.6 (including)
Php	Php	5.2.7 (including)	5.2.7 (including)
Php	Php	5.2.8 (including)	5.2.8 (including)
Php	Php	5.2.9 (including)	5.2.9 (including)
Php	Php	5.3.0 (including)	5.3.0 (including)
Php5	Ubuntu	dapper	*
Php5	Ubuntu	hardy	*
Php5	Ubuntu	intrepid	*
Php5	Ubuntu	jaunty	*
Php5	Ubuntu	karmic	*
Php5	Ubuntu	upstream	*

References

http://bugs.php.net/bug.php?id=49026
http://marc.info/?l=bugtraq\u0026m=127680701405735\u0026w=2
http://marc.info/?l=oss-security\u0026m=125886770008678\u0026w=2
http://marc.info/?l=oss-security\u0026m=125897935330618\u0026w=2
http://secunia.com/advisories/40262
http://secunia.com/advisories/41480
http://secunia.com/advisories/41490
http://svn.php.net/viewvc/?view=revision\u0026revision=286360
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_2/ext/standard/proc_open.c?r1=286360\u0026r2=286359\u0026pathrev=286360
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/standard/proc_open.c?r1=286360\u0026r2=286359\u0026pathrev=286360
http://www.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02512995
http://www.mandriva.com/security/advisories?name=MDVSA-2009:303
http://www.openwall.com/lists/oss-security/2009/11/23/15
http://www.php.net/ChangeLog-5.php
http://www.securityfocus.com/bid/37138
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7256
http://bugs.php.net/bug.php?id=49026
http://marc.info/?l=bugtraq\u0026m=127680701405735\u0026w=2
http://marc.info/?l=oss-security\u0026m=125886770008678\u0026w=2
http://marc.info/?l=oss-security\u0026m=125897935330618\u0026w=2
http://secunia.com/advisories/40262
http://secunia.com/advisories/41480
http://secunia.com/advisories/41490
http://svn.php.net/viewvc/?view=revision\u0026revision=286360
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_2/ext/standard/proc_open.c?r1=286360\u0026r2=286359\u0026pathrev=286360
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/standard/proc_open.c?r1=286360\u0026r2=286359\u0026pathrev=286360
http://www.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02512995
http://www.mandriva.com/security/advisories?name=MDVSA-2009:303
http://www.openwall.com/lists/oss-security/2009/11/23/15
http://www.php.net/ChangeLog-5.php
http://www.securityfocus.com/bid/37138
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7256

NVD	https://nvd.nist.gov/vuln/detail/CVE-2009-4018
CWE	https://cwe.mitre.org/data/definitions/264.html