CVE-2006-6383

PHP 5.2.0 and 4.4 - Local Restriction Bypass via Null Byte in session_save_path

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2006-6383. PoCs published by Maksymilian Arciemowicz.

AI-analyzed exploit summary This exploit bypasses PHP's 'safe_mode' and 'open_basedir' restrictions by leveraging a null byte injection in the 'session_save_path' function. It allows an attacker to write session files to unauthorized directories, potentially leading to information disclosure or file manipulation.

Description

PHP 5.2.0 and 4.4 allows local users to bypass safe_mode and open_basedir restrictions via a malicious path and a null byte before a ";" in a session_save_path argument, followed by an allowed path, which causes a parsing inconsistency in which PHP validates the allowed path but sets session.save_path to the malicious path.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Maksymilian Arciemowicz · textlocalphp

https://www.exploit-db.com/exploits/29239

View Code ZIP pw:eip

This exploit bypasses PHP's 'safe_mode' and 'open_basedir' restrictions by leveraging a null byte injection in the 'session_save_path' function. It allows an attacker to write session files to unauthorized directories, potentially leading to information disclosure or file manipulation.

Classification

Working Poc 90%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: PHP version 5.2.0

No auth needed

Prerequisites: PHP 5.2.0 with 'safe_mode' or 'open_basedir' enabled · Ability to execute arbitrary PHP code

MITRE ATT&CK