PHP before 5.4.42, 5.5.x before 5.5.26, and 5.6.x before 5.6.10 does not ensure that pathnames lack %00 sequences, which might allow remote attackers to read or write to arbitrary files via crafted input to an application that calls (1) a DOMDocument save method or (2) the GD imagepsloadfont function, as demonstrated by a filename\0.html attack that bypasses an intended configuration in which client users may write to only .html files.
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
| Link | Tags |
|---|---|
| http://rhn.redhat.com/errata/RHSA-2015-1187.html | vendor advisory |
| http://www.securitytracker.com/id/1032709 | vdb entry |
| http://rhn.redhat.com/errata/RHSA-2015-1186.html | vendor advisory |
| http://www.debian.org/security/2015/dsa-3344 | vendor advisory |
| http://rhn.redhat.com/errata/RHSA-2015-1219.html | vendor advisory |
| http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html | |
| http://php.net/ChangeLog-5.php | |
| https://bugs.php.net/bug.php?id=69719 | |
| http://www.openwall.com/lists/oss-security/2015/06/16/12 | mailing list |
| http://www.securityfocus.com/bid/75244 | vdb entry |
| http://rhn.redhat.com/errata/RHSA-2015-1135.html | vendor advisory |
| http://rhn.redhat.com/errata/RHSA-2015-1218.html | vendor advisory |