Описание
The rfc1867_post_handler function in main/rfc1867.c in PHP before 5.3.7 does not properly restrict filenames in multipart/form-data POST requests, which allows remote attackers to conduct absolute path traversal attacks, and possibly create or overwrite arbitrary files, via a crafted upload request, related to a "file path injection vulnerability."
| Релиз | Статус | Примечание |
|---|---|---|
| devel | not-affected | 5.3.6-13ubuntu1 |
| hardy | released | 5.2.4-2ubuntu5.18 |
| lucid | released | 5.3.2-1ubuntu4.10 |
| maverick | released | 5.3.3-1ubuntu9.6 |
| natty | released | 5.3.5-1ubuntu7.3 |
| oneiric | not-affected | 5.3.6-13ubuntu1 |
| upstream | released | 5.3.6-12 |
Показывать по
EPSS
6.4 Medium
CVSS2
Связанные уязвимости
The rfc1867_post_handler function in main/rfc1867.c in PHP before 5.3.7 does not properly restrict filenames in multipart/form-data POST requests, which allows remote attackers to conduct absolute path traversal attacks, and possibly create or overwrite arbitrary files, via a crafted upload request, related to a "file path injection vulnerability."
The rfc1867_post_handler function in main/rfc1867.c in PHP before 5.3.7 does not properly restrict filenames in multipart/form-data POST requests, which allows remote attackers to conduct absolute path traversal attacks, and possibly create or overwrite arbitrary files, via a crafted upload request, related to a "file path injection vulnerability."
The rfc1867_post_handler function in main/rfc1867.c in PHP before 5.3. ...
The rfc1867_post_handler function in main/rfc1867.c in PHP before 5.3.7 does not properly restrict filenames in multipart/form-data POST requests, which allows remote attackers to conduct absolute path traversal attacks, and possibly create or overwrite arbitrary files, via a crafted upload request, related to a "file path injection vulnerability."
EPSS
6.4 Medium
CVSS2