Note: This is an archival copy of Security Sun Alert 200823 as previously published on
Latest version of this security advisory is available from as Sun Alert 1000622.1.
Article ID : 1000622.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2010-12-07
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

The PHP on Sun/Cobalt Platforms Have Exploitable Vulnerabilities


Release Phase

Bug Id

Date of Workaround Release

Date of Resolved Release


A local or remote unprivileged user may be able to execute arbitrary code on Sun Cobalt systems due to a vulnerability in PHP SafeMode with the privileges of the HTTP process. The HTTP process normally runs as the unprivileged uid 'nobody' (uid 60001). In order for a remote unprivileged user to exploit this issue, the existing PHP pages must use a variable as the fifth parameter in the mail() command. The ability to execute arbitrary code as the unprivileged uid 'nobody' may lead to modified Web content, denial of service, or further compromise.

Please see the Common Vulnerabilities and Exposures project at and reference CAN-2001-1246 at An additional reference is

Contributing Factors

This issue can occur in the following releases:

2800 Workgroup NTT/KOBE(2800WGJ-KOBE)

  • mod_php3-3.0.7-1C3j.mips.rpm
  • mod_php3-doc-3.0.7-1C3j.mips.rpm

RaQ4 no raid(3001R)

  • php-4.0.1-C1.i386.rpm
  • php-devel-4.0.1-C1.i386.rpm
  • RaQ4 Japanese no raid(3001R-ja)
  • php-4.0.1-C1.i386.rpm
  • php-devel-4.0.1-C1.i386.rpm

RaQ4 RAID(3100R)

  • php-4.0.1-C1.i386.rpm
  • php-devel-4.0.1-C1.i386.rpm

RaQ4 Japanese RAID(3100R-ja)

  • php-4.0.1-C1.i386.rpm
  • php-devel-4.0.1-C1.i386.rpm

RaQ XTR(3500R)

  • php-4.0.3pl1-C1r5.i386.rpm
  • php-devel-4.0.3pl1-C1r5.i386.rpm

RaQ XTR Japanese(3500R-ja)

  • php-4.0.3pl1-C1r5.i386.rpm
  • php-devel-4.0.3pl1-C1r5.i386.rpm


  • php-4.0.1-C7q3.i386.rpm
  • php-devel-4.0.1-C5q3.i386.rpm

Qube 3 Japanese(4000WGJ)

  • php-4.0.3pl1-C1q3.i386.rpm
  • php-devel-4.0.3pl1-C1q3.i386.rpm

Qube3 w/ Caching(4010WG)

  • php-4.0.1-C7q3.i386.rpm
  • php-devel-4.0.1-C5q3.i386.rpm

Qube3 Japanese w/ Caching(4010WGJ)

  • php-4.0.3pl1-C1q3.i386.rpm
  • php-devel-4.0.3pl1-C1q3.i386.rpm

Control Station Production(4100CS)

  • php-4.0.3pl1-C1r6.i386.rpm
  • php-devel-4.0.3pl1-C1r6.i386.rpm

RaQ 550 (4100R)

  • php-devel-4.0.6-C4.i386.rpm
  • php-4.0.6-C4.i386.rpm

Qube3 w/ Caching and RAID(4100WG)

  • php-4.0.1-C7q3.i386.rpm
  • php-devel-4.0.1-C5q3.i386.rpm

Qube3 Japanese w/ Caching and RAID(4100WGJ)

  • php-4.0.3pl1-C1q3.i386.rpm
  • php-devel-4.0.3pl1-C1q3.i386.rpm

Sun LX50 (Sun Linux 5.0)

  • php-4.0.6-12.i386.rpm
  • php-devel-4.0.6-12.i386.rpm
  • php-imap-4.0.6-12.i386.rpm
  • php-ldap-4.0.6-12.i386.rpm
  • php-mysql-4.0.6-12.i386.rpm
  • php-odbc-4.0.6-12.i386.rpm
  • php-manual-4.0.6-12.noarch.rpm

Notes: PHP is an HTML-embedded scripting language commonly used with Apache. PHP versions 4.0.5 through 4.1.0 in safe mode do not properly cleanse the 5th parameter to the mail() function. This vulnerability allows local users and possibly remote attackers to execute arbitrary commands via shell metacharacters.


Unusual entries in the web server logs could indicate that someone is attempting to gain entry through this issue. Any abnormal and/or unauthorized system activity, including, but not limited to, defaced web pages, unknown user accounts appearing on the system, and abnormal network traffic or listening TCP/UDP ports.


Until fixes for these vulnerabilities can be applied, disable all applications (as mentioned above in Contributing Factors) that use vulnerable implementations of PHP.


This issue is addressed in the following releases:

Cobalt platform

Instructions for downloading Cobalt Patches can be found in in MyOracleSupport.

For RaQ 4:

Qube 3:

RaQ 550:


Sun LX50 (Sun Linux 5.0):

Modification History
06-MAY-2003: Updated Resolution section. Resolved.

This solution has no attachment