CVE-2015-4025

Description

PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 truncates a pathname upon encountering a \x00 character in certain situations, which allows remote attackers to bypass intended extension restrictions and access files or directories with unexpected names via a crafted argument to (1) set_include_path, (2) tempnam, (3) rmdir, or (4) readlink. NOTE: this vulnerability exists because of an incomplete fix for CVE-2006-7243.

CVSS Metrics

• v2.0•HIGH•Score: 7.5AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS Trends

Current EPSS score: 7.95%• Percentile: 92%

Techniques & Countermeasures

• CWE-19•Data Processing Errors

  Weaknesses in this category are typically found in functionality that processes data. Data processing is the manipulation of input to retrieve or save information.

Affected Systems

• apple•mac_os_x

  ≤ 10.10.4

• Unknown•PHP

  ≤ 5.4.40 | 5.4.39 | 5.5.0 | 5.5.0:alpha1 | 5.5.0:alpha2 | 5.5.0:alpha3 | 5.5.0:alpha4 | 5.5.0:alpha5 | 5.5.0:alpha6 | 5.5.0:beta1 | 5.5.0:beta2 | 5.5.0:beta3 | 5.5.0:beta4 | 5.5.0:rc1 | 5.5.0:rc2 | 5.5.1 | 5.5.2 | 5.5.3 | 5.5.4 | 5.5.5 | 5.5.6 | 5.5.7 | 5.5.8 | 5.5.9 | 5.5.10 | 5.5.11 | 5.5.12 | 5.5.13 | 5.5.14 | 5.5.18 | 5.5.19 | 5.5.20 | 5.5.21 | 5.5.22 | 5.5.23 | 5.5.24 | 5.6.0:alpha1 | 5.6.0:alpha2 | 5.6.0:alpha3 | 5.6.0:alpha4 | 5.6.0:alpha5 | 5.6.0:beta1 | 5.6.0:beta2 | 5.6.0:beta3 | 5.6.0:beta4 | 5.6.2 | 5.6.3 | 5.6.4 | 5.6.5 | 5.6.6 | 5.6.7 | 5.6.8

• redhat•enterprise_linux

  6.0 | 7.0

• redhat•enterprise_linux_desktop

  7.0

• redhat•enterprise_linux_hpc_node

  7.0

• redhat•enterprise_linux_hpc_node_eus

  7.1

• redhat•enterprise_linux_server

  7.0

• redhat•enterprise_linux_server_eus

  7.1

• redhat•enterprise_linux_workstation

  7.0

References (16)

• http://rhn.redhat.com/errata/RHSA-2015-1187.html
• http://rhn.redhat.com/errata/RHSA-2015-1186.html
• https://bugs.php.net/bug.php?id=69418
• http://rhn.redhat.com/errata/RHSA-2015-1219.html
• http://www.securityfocus.com/bid/74904
• http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html
• http://php.net/ChangeLog-5.php
• http://www.debian.org/security/2015/dsa-3280
• http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html
• http://rhn.redhat.com/errata/RHSA-2015-1135.html
• http://www.securitytracker.com/id/1032431
• https://support.apple.com/kb/HT205031
• http://lists.fedoraproject.org/pipermail/package-announce/2015-May/158915.html
• http://lists.fedoraproject.org/pipermail/package-announce/2015-May/158616.html
• http://lists.fedoraproject.org/pipermail/package-announce/2015-May/159031.html
• https://security.gentoo.org/glsa/201606-10