Description
FraMe from kernelpanik.org reported that the cURL module does not
respect open_basedir restrictions. As a result, scripts which used
cURL to open files with an user-specified path could read arbitrary
local files outside of the open_basedir directory.
Stefano Di Paola discovered a vulnerability in PHP's shmop_write()
function. Its "offset" parameter was not checked for negative values,
which allowed an attacker to write arbitrary data to arbitrary memory
locations. A script which passed unchecked parameters to
shmop_write() could possibly be exploited to execute arbitrary code
with the privileges of the web server and to bypass safe mode
restrictions.