VYPR
← All advisories
Unrated severityNVD Advisory· Published Apr 10, 2006· Updated Apr 16, 2026

CVE-2006-1608

CVE-2006-1608

Description

The copy function in file.c in PHP 4.4.2 and 5.1.2 allows local users to bypass safe mode and read arbitrary files via a source argument containing a compress.zlib:// URI.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

68
  • PHP/PHP66 versions
    cpe:2.3:a:php:php:4.0:*:*:*:*:*:*:*+ 65 more
    • cpe:2.3:a:php:php:4.0:*:*:*:*:*:*:*
    • cpe:2.3:a:php:php:4.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:php:php:4.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:php:php:4.0.1:patch1:*:*:*:*:*:*
    • cpe:2.3:a:php:php:4.0.1:patch2:*:*:*:*:*:*
    • cpe:2.3:a:php:php:4.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:php:php:4.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:php:php:4.0.3:patch1:*:*:*:*:*:*
    • cpe:2.3:a:php:php:4.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:php:php:4.0.4:patch1:*:*:*:*:*:*
    • cpe:2.3:a:php:php:4.0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:php:php:4.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:php:php:4.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:php:php:4.0.7:rc1:*:*:*:*:*:*
    • cpe:2.3:a:php:php:4.0.7:rc2:*:*:*:*:*:*
    • cpe:2.3:a:php:php:4.0.7:rc3:*:*:*:*:*:*
    • cpe:2.3:a:php:php:4.0:beta1:*:*:*:*:*:*
    • cpe:2.3:a:php:php:4.0:beta2:*:*:*:*:*:*
    • cpe:2.3:a:php:php:4.0:beta3:*:*:*:*:*:*
    • cpe:2.3:a:php:php:4.0:beta4:*:*:*:*:*:*
    • cpe:2.3:a:php:php:4.0:beta_4_patch1:*:*:*:*:*:*
    • cpe:2.3:a:php:php:4.0:rc1:*:*:*:*:*:*
    • cpe:2.3:a:php:php:4.0:rc2:*:*:*:*:*:*
    • cpe:2.3:a:php:php:4.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:php:php:4.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:php:php:4.1.2:*:*:*:*:*:*:*
    • cpe:2.3:a:php:php:4.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:php:php:4.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:php:php:4.2.2:*:*:*:*:*:*:*
    • cpe:2.3:a:php:php:4.2.3:*:*:*:*:*:*:*
    • cpe:2.3:a:php:php:4.2:*:dev:*:*:*:*:*
    • cpe:2.3:a:php:php:4.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:php:php:4.3.1:*:*:*:*:*:*:*
    • cpe:2.3:a:php:php:4.3.10:*:*:*:*:*:*:*
    • cpe:2.3:a:php:php:4.3.11:*:*:*:*:*:*:*
    • cpe:2.3:a:php:php:4.3.2:*:*:*:*:*:*:*
    • cpe:2.3:a:php:php:4.3.3:*:*:*:*:*:*:*
    • cpe:2.3:a:php:php:4.3.4:*:*:*:*:*:*:*
    • cpe:2.3:a:php:php:4.3.5:*:*:*:*:*:*:*
    • cpe:2.3:a:php:php:4.3.6:*:*:*:*:*:*:*
    • cpe:2.3:a:php:php:4.3.7:*:*:*:*:*:*:*
    • cpe:2.3:a:php:php:4.3.8:*:*:*:*:*:*:*
    • cpe:2.3:a:php:php:4.3.9:*:*:*:*:*:*:*
    • cpe:2.3:a:php:php:4.4.0:*:*:*:*:*:*:*
    • cpe:2.3:a:php:php:4.4.1:*:*:*:*:*:*:*
    • cpe:2.3:a:php:php:4.4.2:*:*:*:*:*:*:*
    • cpe:2.3:a:php:php:5.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:php:php:5.0.0:beta1:*:*:*:*:*:*
    • cpe:2.3:a:php:php:5.0.0:beta2:*:*:*:*:*:*
    • cpe:2.3:a:php:php:5.0.0:beta3:*:*:*:*:*:*
    • cpe:2.3:a:php:php:5.0.0:beta4:*:*:*:*:*:*
    • cpe:2.3:a:php:php:5.0.0:rc1:*:*:*:*:*:*
    • cpe:2.3:a:php:php:5.0.0:rc2:*:*:*:*:*:*
    • cpe:2.3:a:php:php:5.0.0:rc3:*:*:*:*:*:*
    • cpe:2.3:a:php:php:5.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:php:php:5.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:php:php:5.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:php:php:5.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:php:php:5.0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:php:php:5.0:rc1:*:*:*:*:*:*
    • cpe:2.3:a:php:php:5.0:rc2:*:*:*:*:*:*
    • cpe:2.3:a:php:php:5.0:rc3:*:*:*:*:*:*
    • cpe:2.3:a:php:php:5.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:php:php:5.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:php:php:5.1.2:*:*:*:*:*:*:*
    • (no CPE)range: = 4.4.2, = 5.1.2
  • PHP/PHP 4.4.2llm-create
    Range: = 4.4.2
  • PHP/PHP 5.1.2llm-create
    Range: = 5.1.2

Patches

Vulnerability mechanics

Root cause

"Safe mode check accepts compress.zlib:// URIs as valid paths, allowing bypass of file access restrictions."

Attack vector

A local attacker who can invoke PHP's `copy()` function supplies a source argument containing a `compress.zlib://` URI (e.g., `compress.zlib:///etc/passwd`). The safe mode check in `main/safe_mode.c` calls `php_stream_locate_url_wrapper()` with `STREAM_LOCATE_WRAPPERS_ONLY`; because the function recognizes the `compress.zlib` protocol and returns a wrapper, safe mode returns 1 (allowed) instead of blocking the path [ref_id=1][ref_id=2]. This lets the attacker read arbitrary files on the filesystem, bypassing safe mode restrictions. No authentication is required, and the attack complexity is low.

Affected code

The vulnerability resides in the safe mode check within `main/safe_mode.c` (lines 78–80) and the `php_stream_locate_url_wrapper()` function in `main/streams.c` (lines 2522–2588) of PHP 4.4.2 and 5.1.2. The safe mode check calls `php_stream_locate_url_wrapper()` with the `STREAM_LOCATE_WRAPPERS_ONLY` flag, which returns a non-NULL wrapper for `compress.zlib://` URIs, causing safe mode to incorrectly allow the path instead of blocking it.

What the fix does

The advisory does not include a patch diff. The recommended fix is to modify the safe mode check so that it does not accept stream wrappers like `compress.zlib://` as valid local file paths. Specifically, the safe mode function should not treat a path as safe simply because `php_stream_locate_url_wrapper()` returns a non-NULL wrapper; it must also verify that the path refers to a plain file. Without a published patch, the advisory states that the root cause is safe mode accepting `compress.zlib://` URIs [ref_id=1][ref_id=2].

Preconditions

  • configPHP safe mode must be enabled on the server
  • authAttacker must be able to execute PHP code that calls copy() with a controlled source argument
  • networkAttacker must have local access to the server

Generated on Jun 17, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

16

News mentions

0

No linked articles in our index yet.