#VU110325 Permissions, Privileges, and Access Controls in PHP - CVE-2008-7002
Published: August 19, 2009 / Updated: June 10, 2025
Vulnerability identifier: #VU110325
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear
CVE-ID: CVE-2008-7002
CWE-ID: CWE-264
Exploitation vector: Local access
Exploit availability:
Public exploit is available
Vulnerable software:
PHP
PHP
Software vendor:
PHP Group
PHP Group
Description
The vulnerability allows a local user to execute arbitrary code.
PHP 5.2.5 does not enforce (a) open_basedir and (b) safe_mode_exec_dir restrictions for certain functions, which might allow local users to bypass intended access restrictions and call programs outside of the intended directory via the (1) exec, (2) system, (3) shell_exec, (4) passthru, or (5) popen functions, possibly involving pathnames such as "C:" drive notation.
Remediation
Install update from vendor's website.