Main Vulnerability Database SB2014021503

SB2014021503 - Information disclosure in PHP

Published: February 15, 2014 Updated: August 10, 2020

Security Bulletin ID SB2014021503

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Information disclosure (CVE-ID: CVE-2012-1171)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The libxml RSHUTDOWN function in PHP 5.x allows remote attackers to bypass the open_basedir protection mechanism and read arbitrary files via vectors involving a stream_close method call during use of a custom stream wrapper.

Remediation

Install update from vendor's website.

References

https://bugs.php.net/bug.php?id=61367
https://bugzilla.redhat.com/show_bug.cgi?id=802591
https://github.com/php/php-src/blob/master/ext/libxml/tests/bug61367-read.phpt
https://github.com/php/php-src/blob/master/ext/libxml/tests/bug61367-write.phpt