CVE-2006-5178 in PHPinfo

Summary

by MITRE

Race condition in the symlink function in PHP 5.1.6 and earlier allows local users to bypass the open_basedir restriction by using a combination of symlink, mkdir, and unlink functions to change the file path after the open_basedir check and before the file is opened by the underlying system, as demonstrated by symlinking a symlink into a subdirectory, to point to a parent directory via .. (dot dot) sequences, and then unlinking the resulting symlink.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 04/23/2026

The vulnerability described in CVE-2006-5178 represents a critical race condition within PHP's symlink handling functionality that directly undermines the security controls designed to restrict file access operations. This issue affects PHP versions 5.1.6 and earlier, where the race condition occurs between the open_basedir restriction enforcement and the actual file system operations that occur during symlink resolution. The vulnerability specifically exploits the timing window between when PHP validates file paths against the open_basedir directive and when the underlying system actually opens the target file, creating an opportunity for privilege escalation and unauthorized access to restricted file system locations.

The technical flaw manifests when local users leverage a sophisticated sequence of system calls involving symlink, mkdir, and unlink functions to manipulate file paths dynamically. During the execution of PHP code, the open_basedir restriction is enforced at a specific point in the process, but the actual file system resolution occurs later when the symlink is dereferenced. Attackers can create a symlink pointing to a file outside the restricted directory, then immediately remove that symlink and replace it with a new one pointing to a different location, effectively bypassing the security check that was performed before the symlink was created. This race condition allows attackers to manipulate the file path after the validation but before the system actually opens the file, creating a window where the restriction is effectively circumvented.

The operational impact of this vulnerability extends beyond simple privilege escalation to potentially allow attackers to access sensitive files, execute arbitrary code, or perform unauthorized operations within the system. The vulnerability is particularly dangerous because it can be exploited locally by users who already have access to the system, and the attack vector involves creating a symlink in a subdirectory that points to a parent directory using .. sequences. This technique enables attackers to traverse directory structures that should normally be restricted, effectively breaking the sandboxing mechanisms that open_basedir is designed to enforce. The vulnerability demonstrates a fundamental flaw in how PHP handles file path resolution and validation, where the security check and actual file access operations are not atomic, creating a window for exploitation.

Security mitigations for this vulnerability require immediate patching of affected PHP installations to versions that address the race condition in symlink handling. System administrators should ensure that all PHP installations are updated to versions that properly synchronize the open_basedir validation with the actual file system operations. Additionally, organizations should implement monitoring for suspicious symlink creation and modification activities, particularly in directories where open_basedir restrictions are enforced. The vulnerability aligns with CWE-367, which addresses the issue of Time-of-Check to Time-of-Use (TOCTOU) race conditions, and represents a classic example of how improper synchronization between security checks and actual operations can create exploitable gaps in system defenses. From an ATT&CK perspective, this vulnerability maps to privilege escalation techniques and could be leveraged as part of broader attack chains to achieve persistent access or data exfiltration from compromised systems.

Reservation

10/05/2006

Disclosure

10/10/2006

Moderation

accepted

Entry

VDB-2587

CPE

ready

Exploit

Download

EPSS

0.00652

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!