Permissions, Privileges, and Access Controls in PHP - CVE-2008-7002
Published: August 19, 2009 / Updated: June 10, 2025
Vulnerability identifier: #VU110325
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear
CVE-ID: CVE-2008-7002
CWE-ID: CWE-264
Exploitation vector: Local access
Exploit availability:
Public exploit is available
Vendor: PHP Group
Affected software:
PHP
PHP
Detailed vulnerability description
The vulnerability allows a local user to execute arbitrary code.
PHP 5.2.5 does not enforce (a) open_basedir and (b) safe_mode_exec_dir restrictions for certain functions, which might allow local users to bypass intended access restrictions and call programs outside of the intended directory via the (1) exec, (2) system, (3) shell_exec, (4) passthru, or (5) popen functions, possibly involving pathnames such as "C:" drive notation.
How to mitigate CVE-2008-7002
Install update from vendor's website.