Vulnerability & Exploit Database

Back to search

PHP Vulnerability: CVE-2015-3411

Severity CVSS Published Added Modified
6 (AV:N/AC:L/Au:N/C:P/I:P/A:N) May 15, 2016 June 02, 2016 January 07, 2018

Description

PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 does not ensure that pathnames lack %00 sequences, which might allow remote attackers to read or write to arbitrary files via crafted input to an application that calls (1) a DOMDocument load method, (2) the xmlwriter_open_uri function, (3) the finfo_file function, or (4) the hash_hmac_file function, as demonstrated by a filename\0.xml attack that bypasses an intended configuration in which client users may read only .xml files.

Free Nexpose Download

Discover, prioritize, and remediate security risks today!

 Download now

References

Solution

php-upgrade-5_4_40

Related Vulnerabilities