Abysssec Inc Public Advisory Title : PHP <= 5.2.9 SafeMod Bypass Vulnerability Affected Version : Tested on 5.2.8, 5.2.6 but previous versions maybe be afftect Vendor Site : www.php.net Vulnerability Discoverd by : www.abysssec.com Description : Here is another safemod bypass vulnerability exist in php <= 5.2.9 on windows . the problem comes from OS behavior - implement and interfacing between php and operation systems directory structure . the problem is php won't tell difference between directory browsing in linux and windows this can lead attacker to ability execute his / her commands on targert machie even in SafeMod On (php.ini setting) . Vulnerability : in linux when you want open a directory for example php directory you need to go to /usr/bin/php and you can't use \usr\bin\php . but windows won't tell diffence between slash and back slash it means there is no didffrence between c:\php and c:/php , and this is not vulnerability but itself but because of this simple php implement "\" character can escape safemode using function like excec . PoC / Exploit : orginal : www.abysssec.com/safemod-windows.zip mirror : www.milw0rm.com/sploits/2009-safemod-windows.zip note : this vulnerabities is just for educational purpose and showing vulnerability exist so author will be not be responsible for any damage using this vulnerabilty. for more information visit Abysssec.com feel free to contact me at admin [at] abysssec.com # milw0rm.com [2009-05-26]