PHP <= 5.2.9 Local Safemod Bypass Exploit (win32)

Abysssec Inc Public AdvisoryTitle  : PHP <= 5.2.9 SafeMod Bypass Vulnerability Affected Version : Tested on 5.2.8, 5.2.6 but previous versions maybe be afftectVendor  Site   : www.php.netVulnerability Discoverd by   : www.abysssec.comDescription : Here is another safemod bypass vulnerability exist in php <= 5.2.9 on windows .the problem comes from OS behavior - implement  and interfacing between phpand operation systems directory structure . the problem is php won't tell difference between directory browsing in linux and windows this can lead attacker to ability execute his / her commands on targert machie even in SafeMod On  (php.ini setting) . Vulnerability :in linux when you want open a directory for example php directory you needto go to /usr/bin/php and you can't use /usr/bin/php . but windows won't telldiffence between slash and back slash it means there is no didffrence  between c:/php and c:/php , and this is not vulnerability but itself but  because of this  simple php implement "/" character can escape safemode using  function like excec . PoC / Exploit : orginal : www.abysssec.com/safemod-windows.zipmirror  : www.milw0rm.com/sploits/2009-safemod-windows.zipnote : this vulnerabities is just for educational purpose and showing vulnerability exist so author will be not be responsible for any damage using this vulnerabilty. for more information visit Abysssec.comfeel free to contact me at admin [at] abysssec.com# milw0rm.com [2009-05-26]