Vulnerability identifier: #VU16118
Vulnerability risk: Low
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-264
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
PHP
Universal components / Libraries /
Scripting languages
Vendor: PHP Group
Description
The vulnerability allows a remote attacker to bypass security restrictions on the target system.
The weakness exists due to PHP before 5.4.42, 5.5.x before 5.5.26, and 5.6.x before 5.6.10 does not ensure that pathnames lack %00 sequences. A remote attacker can read or write to arbitrary files via crafted input to an application that calls (1) a DOMDocument save method or (2) the GD imagepsloadfont function, as demonstrated by a filename.html attack that bypasses an intended configuration in which client users may write to only .html files.
Mitigation
Install update from vendor's website.
Vulnerable software versions
PHP: 5.6.0 - 5.6.9, 5.5.0 - 5.5.25, 5.4.0 - 5.4.41
External links
http://bugs.php.net/bug.php?id=69719
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.