Back to search
CVE-2012-1172
Published: May 24, 2012
Modified: Aug 6, 2024
PUBLISHED
Description
The file-upload implementation in rfc1867.c in PHP before 5.4.0 does not properly handle invalid [ (open square bracket) characters in name values, which makes it easier for remote attackers to cause a denial of service (malformed $_FILES indexes) or conduct directory traversal attacks during multi-file uploads by leveraging a script that lacks its own filename restrictions.
| Vendor | Product | Versions |
|---|---|---|
n/a | n/a | affected n/a |
References
SSRT100856
vendor-advisory
x_refsource_HP
FEDORA-2012-6869
vendor-advisory
x_refsource_FEDORA
https://bugs.php.net/bug.php?id=54374
x_refsource_CONFIRM
SUSE-SU-2012:0604
vendor-advisory
x_refsource_SUSE
https://bugs.php.net/bug.php?id=49683
x_refsource_MISC
http://svn.php.net/viewvc?view=revision&revision=321664
x_refsource_CONFIRM
[oss-security] 20120313 Re: CVE request for PHP 5.3.x Corrupted $_FILES indices lead to security concern
mailing-list
x_refsource_MLIST
https://bugs.php.net/bug.php?id=48597
x_refsource_MISC
SUSE-SU-2012:0598
vendor-advisory
x_refsource_SUSE
APPLE-SA-2012-09-19-2
vendor-advisory
x_refsource_APPLE
http://support.apple.com/kb/HT5501
x_refsource_CONFIRM
http://www.php.net/ChangeLog-5.php#5.4.0
x_refsource_CONFIRM
FEDORA-2012-6907
vendor-advisory
x_refsource_FEDORA
HPSBUX02791
vendor-advisory
x_refsource_HP
DSA-2465
vendor-advisory
x_refsource_DEBIAN
FEDORA-2012-6911
vendor-advisory
x_refsource_FEDORA
https://bugs.php.net/bug.php?id=55500
x_refsource_CONFIRM
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now