PHP ionCube Loader Extension Safe_Mode and Disable_Functions Restriction Bypass Vulnerability

ionCube Loader is prone to a 'safe_mode' and 'disable_functions' restriction-bypass vulnerability. Successful exploits could allow an attacker to bypass the restrictions imposed by both PHP directives and to access arbitrary file contents.

This vulnerability would be an issue in shared-hosting configurations where multiple users can create and execute arbitrary PHP script code; in such cases, the 'safe_mode' restrictions are expected to isolate users from each other.

ionCube 6.5 running on PHP 5.2.4 is affected; other versions may also be vulnerable.


Privacy Statement
Copyright 2010, SecurityFocus