#VU10948 Improper input validation in PHP


Published: 2018-03-13 | Updated: 2018-03-14

Vulnerability identifier: #VU10948

Vulnerability risk: Low

CVSSv3.1: 4.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C]

CVE-ID: CVE-2016-10712

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
PHP
Universal components / Libraries / Scripting languages

Vendor: PHP Group

Description
The vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information on the target system.

The weakness exists in the stream_get_meta_data function due to improper input validation. A remote attacker can send a specially crafted file and control metadata.

Mitigation
Update to versions 5.5.32 or later, 5.6.18 or later and 7.0.3 or later.

Vulnerable software versions

PHP: 5.5.0 - 5.5.31, 5.6.0 - 5.6.17, 7.0.0 - 7.0.2


External links
http://bugs.php.net/bug.php?id=71323


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.


Latest bulletins with this vulnerability