Path traversal in PHP
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Absolute Path Traversal
EUVDB-ID: #VU56905
Risk: Medium
CVSSv4.0: 6.9 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-21706
CWE-ID:
CWE-36 - Absolute Path Traversal
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker overwrite files on the system.
The vulnerability exists due to insufficient filtration of file names in the php_zip_make_relative_path() function on Windows systems. A remote attacker can construct a specially crafted ZIP archive, which once extracted by the ZipArchive::extractTo() function, can overwrite files outside of the destination directory.
Successful exploitation of the vulnerability may allow an attacker to overwrite arbitrary files on the system with privileges of the web server, but requires that the web application is running on Windows.
Install updates from vendor's website.
Vulnerable software versionsPHP: 7.3 - 8.0.10
CPE2.3- cpe:2.3:a:php_group:php:7.3:*:*:*:*:*:*:*
- cpe:2.3:a:php_group:php:7.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:php_group:php:7.3.0beta1:*:*:*:*:*:*:*
- cpe:2.3:a:php_group:php:7.3.0beta3:*:*:*:*:*:*:*
- cpe:2.3:a:php_group:php:7.3.0alpha1:*:*:*:*:*:*:*
- cpe:2.3:a:php_group:php:7.3.0alpha4:*:*:*:*:*:*:*
- cpe:2.3:a:php_group:php:7.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:php_group:php:7.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:php_group:php:7.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:php_group:php:7.3.4:*:*:*:*:*:*:*
https://www.php.net/ChangeLog-7.php#7.4.24
https://bugs.php.net/bug.php?id=81420
https://www.php.net/ChangeLog-7.php#7.3.31
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
