CVE-2006-4625

PHP 4.x-4.4.4 and 5-5.1.6 - Local Security Restriction Bypass via ini_restore Function

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2006-4625. PoCs published by Maksymilian Arciemowicz.

AI-analyzed exploit summary This exploit demonstrates a bypass of PHP's safe_mode and open_basedir restrictions by using ini_restore() to reset configurations, allowing unauthorized file access. It includes /etc/passwd to prove the bypass works.

Description

PHP 4.x up to 4.4.4 and PHP 5 up to 5.1.6 allows local users to bypass certain Apache HTTP Server httpd.conf options, such as safe_mode and open_basedir, via the ini_restore function, which resets the values to their php.ini (Master Value) defaults.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Maksymilian Arciemowicz · phplocalphp
https://www.exploit-db.com/exploits/28504

This exploit demonstrates a bypass of PHP's safe_mode and open_basedir restrictions by using ini_restore() to reset configurations, allowing unauthorized file access. It includes /etc/passwd to prove the bypass works.

Classification
Working Poc 90%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: PHP versions 5.1.6, 4.4.4, and earlier
No auth needed
Prerequisites: PHP safe_mode and open_basedir restrictions enabled · Ability to execute arbitrary PHP code on the target system
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (21)

Core 21
Core References
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2007/1991
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/22338
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/445712/100/0/threaded
Third Party Advisory, VDB Entry vendor-advisory x_refsource_openpkg
http://www.securityfocus.com/archive/1/448953/100/0/threaded
Third Party Advisory third-party-advisory x_refsource_sreason
http://securityreason.com/securityalert/1519
Various Sources vendor-advisory x_refsource_turbo
http://www.turbolinux.com/security/2006/TLSA-2006-38.txt
Vendor Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/usn-362-1
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/445882/100/0/threaded
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2007/2374
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/25423
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/22282
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/19933
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/28853
Various Sources vendor-advisory x_refsource_suse
http://lists.suse.com/archive/suse-security-announce/2006-Oct/0002.html
Vendor Advisory vendor-advisory x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDKSA-2006:185
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/22331
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/25850
Exploit, Patch third-party-advisory x_refsource_sreasonres
http://securityreason.com/achievement_securityalert/42
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/22424

Scores

EPSS 0.0091
EPSS Percentile 55.2%

Details

Status published
Products (42)
php/php 4.0
php/php 4.0.1 (3 CPE variants)
php/php 4.0.2
php/php 4.0.3 (2 CPE variants)
php/php 4.0.4
php/php 4.0.5
php/php 4.0.6
php/php 4.0.7 (4 CPE variants)
php/php 4.1.0
php/php 4.1.1
... and 32 more
Published Sep 12, 2006
Tracked Since Feb 18, 2026