Maksymilian Arciemowicz has discovered a weakness in PHP, which can be exploited by malicious, local users to bypass certain security restrictions. This could have a major impact in shared hosting systems.

The weakness is caused due to an input validation error in the PHP error_log() function in the processing of the destination parameter. It can be exploited to bypass the safe mode protection via directory traversal attacks in the "php://" wrapper.

The weakness has been confirmed in version 5.1.4 and has also been reported in version 4.4.2. Other versions may also be affected.

Solution:
Disable the error_log function via the disable_functions directive if the safe mode protection is required. This may impact functionality. All software vendors (including open source developers) should audit their source.
via Secunia