CVE-2004-1063 in PHP
Summary
by MITRE
PHP 4.x to 4.3.9, and PHP 5.x to 5.0.2, when running in safe mode on a multithreaded Unix webserver, allows local users to bypass safe_mode_exec_dir restrictions and execute commands outside of the intended safe_mode_exec_dir via shell metacharacters in the current directory name. NOTE: this issue was originally REJECTed by its CNA before publication, but that decision is in active dispute. This candidate may change significantly in the future as a result of further discussion.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/06/2025
This vulnerability represents a critical security flaw in PHP versions ranging from 4.x through 4.3.9 and 5.x through 5.0.2 that affects systems operating in safe mode with multithreaded Unix web servers. The core issue stems from improper handling of shell metacharacters within directory names, creating a pathway for local attackers to circumvent the safe_mode_exec_dir restrictions that are specifically designed to limit command execution to predetermined directories. The vulnerability exploits a fundamental flaw in how PHP processes command execution paths when safe mode is enabled, particularly in multithreaded environments where concurrent processes may interfere with path resolution mechanisms.
The technical exploitation occurs when a local user manipulates the current working directory to contain shell metacharacters such as semicolons, pipes, or backticks, which are then interpreted by the system shell during command execution. This allows attackers to inject arbitrary commands that bypass the intended safe_mode_exec_dir restrictions, effectively enabling execution of commands outside the designated safe directories. The vulnerability is particularly dangerous because it leverages the inherent concurrency of multithreaded web servers to create race conditions or path resolution conflicts that PHP's safe mode implementation cannot properly handle. This flaw aligns with CWE-78, which specifically addresses improper neutralization of special elements used in OS commands, and demonstrates how environment-specific configurations can create unexpected security weaknesses.
The operational impact of this vulnerability extends beyond simple privilege escalation to include complete system compromise potential. Attackers can execute arbitrary commands with the privileges of the web server process, potentially leading to data theft, system infiltration, or further attacks on network infrastructure. The vulnerability affects web applications that rely on PHP's safe mode for security isolation, particularly in shared hosting environments where multiple users operate under the same web server process. This creates a significant risk for organizations deploying PHP applications in environments where security isolation is paramount, as the vulnerability can be exploited without requiring remote network access or elevated privileges beyond local system access.
Mitigation strategies must address both the immediate vulnerability and underlying architectural issues. The most effective approach involves upgrading to PHP versions that have addressed this specific flaw, as the vulnerability is fundamentally resolved through improved path handling and command execution sanitization. Organizations should also implement additional security controls such as restricting local file system access for web server processes, implementing proper directory permissions, and utilizing alternative security mechanisms such as PHP's open_basedir restrictions or container-based isolation. From an ATT&CK framework perspective, this vulnerability maps to techniques involving privilege escalation and command execution, specifically targeting the T1059.001 and T1068 attack patterns. System administrators should also consider implementing monitoring for unusual command execution patterns and ensure that all PHP installations are kept current with security patches, as this vulnerability demonstrates how seemingly minor implementation flaws in security mechanisms can create significant exploitation opportunities.