#VU110357 Permissions, Privileges, and Access Controls in PHP - CVE-2007-5447

Cybersecurity Help s.r.o.

Published: 2017-09-29 | Updated: 2025-06-11

Vulnerability identifier: #VU110357

Vulnerability risk: Medium

CVSSv4.0: 5.5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green]

CVE-ID: CVE-2007-5447

CWE-ID: CWE-264

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
PHP
Universal components / Libraries / Scripting languages

Vendor: PHP Group

Description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

ioncube_loader_win_5.2.dll in the ionCube Loader 6.5 extension for PHP 5.2.4 does not follow safe_mode and disable_functions restrictions, which allows context-dependent attackers to bypass intended limitations, as demonstrated by reading arbitrary files via the ioncube_read_file function.

Mitigation
Install update from vendor's website.

Vulnerable software versions

PHP: 5.2.4

External links
https://osvdb.org/41708
https://secunia.com/advisories/27178
https://www.securityfocus.com/bid/26024
https://exchange.xforce.ibmcloud.com/vulnerabilities/37227
https://www.exploit-db.com/exploits/4517

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

Latest bulletins with this vulnerability

Multiple vulnerabilities in PHP