CVE-2015-3411

Description

PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 does not ensure that pathnames lack %00 sequences, which might allow remote attackers to read or write to arbitrary files via crafted input to an application that calls (1) a DOMDocument load method, (2) the xmlwriter_open_uri function, (3) the finfo_file function, or (4) the hash_hmac_file function, as demonstrated by a filename\0.xml attack that bypasses an intended configuration in which client users may read only .xml files.

CVSS Metrics

• v3.0•MEDIUM•Score: 6.5CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
• v2.0•MEDIUM•Score: 6.4AV:N/AC:L/Au:N/C:P/I:P/A:N

EPSS Trends

Current EPSS score: 0.29%• Percentile: 52%

Techniques & Countermeasures

• CWE-20•Improper Input Validation

  The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Affected Systems

• Unknown•PHP

  ≤ 5.4.39 | 5.5.0 | 5.5.1 | 5.5.2 | 5.5.3 | 5.5.4 | 5.5.5 | 5.5.6 | 5.5.7 | 5.5.8 | 5.5.9 | 5.5.10 | 5.5.11 | 5.5.12 | 5.5.13 | 5.5.14 | 5.5.15 | 5.5.16 | 5.5.17 | 5.5.18 | 5.5.19 | 5.5.20 | 5.5.21 | 5.5.22 | 5.5.23 | 5.6.0 | 5.6.1 | 5.6.2 | 5.6.3 | 5.6.4 | 5.6.5 | 5.6.6 | 5.6.7

• redhat•enterprise_linux

  6.0 | 7.0

• redhat•enterprise_linux_desktop

  7.0

• redhat•enterprise_linux_hpc_node

  7.0

• redhat•enterprise_linux_hpc_node_eus

  7.1

• redhat•enterprise_linux_server

  7.0

• redhat•enterprise_linux_server_eus

  7.1

• redhat•enterprise_linux_workstation

  7.0

References (10)

• http://rhn.redhat.com/errata/RHSA-2015-1187.html
• http://www.securitytracker.com/id/1032709
• http://rhn.redhat.com/errata/RHSA-2015-1186.html
• https://bugs.php.net/bug.php?id=69353
• http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html
• http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=4435b9142ff9813845d5c97ab29a5d637bedb257
• http://php.net/ChangeLog-5.php
• http://www.securityfocus.com/bid/75255
• http://rhn.redhat.com/errata/RHSA-2015-1135.html
• http://rhn.redhat.com/errata/RHSA-2015-1218.html