CVE-2012-1172

MEDIUM

Description

The file-upload implementation in rfc1867.c in PHP before 5.4.0 does not properly handle invalid [ (open square bracket) characters in name values, which makes it easier for remote attackers to cause a denial of service (malformed $_FILES indexes) or conduct directory traversal attacks during multi-file uploads by leveraging a script that lacks its own filename restrictions.

References

http://isisblogs.poly.edu/2011/08/11/php-not-properly-checking-params/

http://lists.apple.com/archives/security-announce/2012/Sep/msg00004.html

http://lists.fedoraproject.org/pipermail/package-announce/2012-May/080037.html

http://lists.fedoraproject.org/pipermail/package-announce/2012-May/080041.html

http://lists.fedoraproject.org/pipermail/package-announce/2012-May/080070.html

http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00007.html

http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00011.html

http://marc.info/?l=bugtraq&m=134012830914727&w=2

http://openwall.com/lists/oss-security/2012/03/13/4

http://support.apple.com/kb/HT5501

http://svn.php.net/viewvc/php/php-src/branches/PHP_5_4/main/rfc1867.c?r1=321664&r2=321663&pathrev=321664

http://svn.php.net/viewvc?view=revision&revision=321664

http://www.debian.org/security/2012/dsa-2465

http://www.php.net/ChangeLog-5.php#5.4.0

https://bugs.php.net/bug.php?id=48597

https://bugs.php.net/bug.php?id=49683

https://bugs.php.net/bug.php?id=54374

https://bugs.php.net/bug.php?id=55500

https://nealpoole.com/blog/2011/10/directory-traversal-via-php-multi-file-uploads/

https://students.mimuw.edu.pl/~ai292615/php_multipleupload_overwrite.pdf

Details

Source: MITRE

Published: 2012-05-24

Updated: 2018-01-18

Type: CWE-20

Risk Information

CVSS v2.0

Base Score: 5.8

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:P

Impact Score: 4.9

Exploitability Score: 8.6

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:php:php:5.0.0:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.0.0:beta1:*:*:*:*:*:*

cpe:2.3:a:php:php:5.0.0:beta2:*:*:*:*:*:*

cpe:2.3:a:php:php:5.0.0:beta3:*:*:*:*:*:*

cpe:2.3:a:php:php:5.0.0:beta4:*:*:*:*:*:*

cpe:2.3:a:php:php:5.0.0:rc1:*:*:*:*:*:*

cpe:2.3:a:php:php:5.0.0:rc2:*:*:*:*:*:*

cpe:2.3:a:php:php:5.0.0:rc3:*:*:*:*:*:*

cpe:2.3:a:php:php:5.0.1:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.0.2:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.0.3:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.0.4:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.0.5:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.1.0:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.1.1:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.1.2:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.1.3:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.1.4:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.1.5:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.1.6:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.2.0:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.2.1:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.2.2:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.2.3:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.2.4:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.2.5:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.2.6:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.2.7:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.2.8:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.2.9:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.2.10:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.2.11:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.2.12:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.2.13:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.2.14:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.2.15:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.2.16:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.2.17:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.3.0:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.3.1:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.3.2:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.3.3:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.3.4:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.3.5:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.3.6:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.3.7:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.3.8:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.3.9:*:*:*:*:*:*:*

cpe:2.3:a:php:php:*:*:*:*:*:*:*:* versions up to 5.3.10 (inclusive)

Tenable Plugins

View all (34 total)

IDNameProductFamilySeverity
78152F5 Networks BIG-IP : PHP vulnerability (SOL14574)NessusF5 Networks Local Security Checks
medium
74607openSUSE Security Update : php5 (openSUSE-SU-2012:0551-1)NessusSuSE Local Security Checks
medium
6995PHP < 5.3.11 Multiple VulnerabilitiesNessus Network MonitorWeb Servers
high
6994PHP 5.4.x < 5.4.1 Multiple VulnerabilitiesNessus Network MonitorWeb Servers
medium
68571Oracle Linux 5 : php53 (ELSA-2012-1047)NessusOracle Linux Local Security Checks
high
68570Oracle Linux 6 : php (ELSA-2012-1046)NessusOracle Linux Local Security Checks
high
68569Oracle Linux 5 : php (ELSA-2012-1045)NessusOracle Linux Local Security Checks
medium
67089CentOS 5 : php53 (CESA-2012:1047)NessusCentOS Local Security Checks
high
64103SuSE 11.2 Security Update : PHP5 (SAT Patch Number 6251)NessusSuSE Local Security Checks
high
64099SuSE 11.1 Security Update : PHP5 (SAT Patch Number 6252)NessusSuSE Local Security Checks
high
62236GLSA-201209-03 : PHP: Multiple vulnerabilitiesNessusGentoo Local Security Checks
critical
6584Mac OS X 10.8 < 10.8.2 Multiple VulnerabilitiesNessus Network MonitorGeneric
critical
6583Mac OS X 10.7 < 10.7.5 Multiple VulnerabilitiesNessus Network MonitorGeneric
critical
62215Mac OS X 10.8.x < 10.8.2 Multiple VulnerabilitiesNessusMacOS X Local Security Checks
critical
62214Mac OS X 10.7.x < 10.7.5 Multiple Vulnerabilities (BEAST)NessusMacOS X Local Security Checks
critical
62213Mac OS X Multiple Vulnerabilities (Security Update 2012-004) (BEAST)NessusMacOS X Local Security Checks
critical
61358Scientific Linux Security Update : php on SL6.x i386/x86_64 (20120627)NessusScientific Linux Local Security Checks
high
61357Scientific Linux Security Update : php on SL5.x i386/x86_64 (20120627)NessusScientific Linux Local Security Checks
medium
61356Scientific Linux Security Update : php53 on SL5.x i386/x86_64 (20120627)NessusScientific Linux Local Security Checks
high
59938CentOS 6 : php (CESA-2012:1046)NessusCentOS Local Security Checks
high
59753RHEL 5 : php53 (RHSA-2012:1047)NessusRed Hat Local Security Checks
high
59752RHEL 6 : php (RHSA-2012:1046)NessusRed Hat Local Security Checks
high
59751RHEL 5 : php (RHSA-2012:1045)NessusRed Hat Local Security Checks
medium
59738CentOS 5 : php (CESA-2012:1045)NessusCentOS Local Security Checks
medium
59603Ubuntu 8.04 LTS / 10.04 LTS / 11.04 / 11.10 / 12.04 LTS : php5 vulnerabilities (USN-1481-1)NessusUbuntu Local Security Checks
high
59059Debian DSA-2465-1 : php5 - several vulnerabilitiesNessusDebian Local Security Checks
high
59053SuSE 10 Security Update : PHP5 (ZYPP Patch Number 8114)NessusSuSE Local Security Checks
high
59008Fedora 15 : maniadrive-1.2-32.fc15.3 / php-5.3.11-1.fc15 / php-eaccelerator-0.9.6.1-9.fc15.3 (2012-6911)NessusFedora Local Security Checks
medium
59007Fedora 16 : maniadrive-1.2-32.fc16.3 / php-5.3.11-1.fc16 / php-eaccelerator-0.9.6.1-9.fc16.3 (2012-6907)NessusFedora Local Security Checks
medium
59006Fedora 17 : maniadrive-1.2-38.fc17 / php-5.4.1-1.fc17 (2012-6869)NessusFedora Local Security Checks
medium
58967PHP 5.4.x < 5.4.1 Multiple VulnerabilitiesNessusCGI abuses
medium
58966PHP < 5.3.11 Multiple VulnerabilitiesNessusCGI abuses
medium
58938FreeBSD : php -- multiple vulnerabilities (2cde1892-913e-11e1-b44c-001fd0af1a4c)NessusFreeBSD Local Security Checks
medium
58890Mandriva Linux Security Advisory : php (MDVSA-2012:065)NessusMandriva Local Security Checks
high