Description

PHP 5 before 5.2.7 does not properly initialize the page_uid and page_gid global variables for use by the SAPI php_getuid function, which allows context-dependent attackers to bypass safe_mode restrictions via variable settings that are intended to be restricted to root, as demonstrated by a setting of /etc for the error_log variable.

Remediation

References

CVE-2008-5624

Related Vulnerabilities

WordPress Plugin Visual Composer:Page Builder for WordPress Local File Inclusion (5.1)

WordPress Plugin Bad Behavior Multiple Cross-Site Scripting Vulnerabilities (2.2.4)

Joomla Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2015-8769)

WordPress Plugin iThemes Security (formerly Better WP Security) Cross-Site Scripting (5.6.1)

WordPress Plugin Smart Flv 'jwplayer.swf' Multiple Cross-Site Scripting Vulnerabilities (1.0)

Severity

High

Classification

CVE-2008-5624 CWE-264

Tags

Missing Update Known Vulnerabilities