#VU110469 Race condition in PHP - CVE-2006-5178

Cybersecurity Help s.r.o.

Published: 2018-10-30 | Updated: 2025-06-08

Vulnerability identifier: #VU110469

Vulnerability risk: Low

CVSSv4.0: 4.4 [CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2006-5178

CWE-ID: CWE-362

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
PHP
Universal components / Libraries / Scripting languages

Vendor: PHP Group

Description

The vulnerability allows a local user to execute arbitrary code.

Race condition in the symlink function in PHP 5.1.6 and earlier allows local users to bypass the open_basedir restriction by using a combination of symlink, mkdir, and unlink functions to change the file path after the open_basedir check and before the file is opened by the underlying system, as demonstrated by symlinking a symlink into a subdirectory, to point to a parent directory via .. (dot dot) sequences, and then unlinking the resulting symlink.

Mitigation
Install update from vendor's website.

Vulnerable software versions

PHP: 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 4.1, 4.1.1, 4.1.2, 4.2, 4.2.1, 4.2.2, 4.2.3, 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 4.3.8, 4.3.9, 4.3.10, 4.3.11, 4.4, 4.4.1, 4.4.2, 4.4.3, 4.4.4, 5, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.1.0, 5.1.1, 5.1.2, 5.1.3, 5.1.4, 5.1.5

External links
https://lists.grok.org.uk/pipermail/full-disclosure/2006-October/049850.html
https://secunia.com/advisories/22235
https://secunia.com/advisories/22424
https://securityreason.com/securityalert/1692
https://securitytracker.com/id?1016977
https://www.hardened-php.net/advisory_082006.132.html
https://www.mandriva.com/security/advisories?name=MDKSA-2006:185
https://www.neosecurityteam.net/index.php?action=advisories&id=26
https://www.securityfocus.com/archive/1/447649/100/0/threaded
https://www.securityfocus.com/archive/1/448020/100/0/threaded
https://www.securityfocus.com/archive/1/448953/100/0/threaded
https://www.securityfocus.com/bid/20326
https://www.turbolinux.com/security/2006/TLSA-2006-38.txt
https://www.vupen.com/english/advisories/2006/3901
https://exchange.xforce.ibmcloud.com/vulnerabilities/29340

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in PHP