CVE-2015-3412

Description

PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 does not ensure that pathnames lack %00 sequences, which might allow remote attackers to read arbitrary files via crafted input to an application that calls the stream_resolve_include_path function in ext/standard/streamsfuncs.c, as demonstrated by a filename\0.extension attack that bypasses an intended configuration in which client users may read files with only one specific extension.

CVSS Metrics

• v3.0•MEDIUM•Score: 5.3CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
• v2.0•MEDIUM•Score: 5AV:N/AC:L/Au:N/C:P/I:N/A:N

EPSS Trends

Current EPSS score: 1.01%• Percentile: 77%

Techniques & Countermeasures

• CWE-200•Exposure of Sensitive Information to an Unauthorized Actor

  The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

• CWE-254•7PK - Security Features

  Software security is not security software. Here we're concerned with topics like authentication, access control, confidentiality, cryptography, and privilege management.

Affected Systems

• Unknown•PHP

  ≤ 5.4.39 | 5.5.0 | 5.5.1 | 5.5.2 | 5.5.3 | 5.5.4 | 5.5.5 | 5.5.6 | 5.5.7 | 5.5.8 | 5.5.9 | 5.5.10 | 5.5.11 | 5.5.12 | 5.5.13 | 5.5.14 | 5.5.15 | 5.5.16 | 5.5.17 | 5.5.18 | 5.5.19 | 5.5.20 | 5.5.21 | 5.5.22 | 5.5.23 | 5.6.0 | 5.6.1 | 5.6.2 | 5.6.3 | 5.6.4 | 5.6.5 | 5.6.6 | 5.6.7

• redhat•enterprise_linux

  6.0 | 7.0

• redhat•enterprise_linux_desktop

  7.0

• redhat•enterprise_linux_hpc_node

  7.0

• redhat•enterprise_linux_hpc_node_eus

  7.1

• redhat•enterprise_linux_server

  7.0

• redhat•enterprise_linux_server_eus

  7.1

• redhat•enterprise_linux_workstation

  7.0

References (10)

• http://rhn.redhat.com/errata/RHSA-2015-1187.html
• http://www.securitytracker.com/id/1032709
• http://rhn.redhat.com/errata/RHSA-2015-1186.html
• https://bugs.php.net/bug.php?id=69353
• http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html
• http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=4435b9142ff9813845d5c97ab29a5d637bedb257
• http://php.net/ChangeLog-5.php
• http://rhn.redhat.com/errata/RHSA-2015-1135.html
• http://www.securityfocus.com/bid/75250
• http://rhn.redhat.com/errata/RHSA-2015-1218.html