oss-sec mailing list archives

Re: CVE request for PHP 5.3.x Corrupted $_FILES indices lead to security concern

From: Huzaifa Sidhpurwala <huzaifas () redhat com>
Date: Tue, 13 Mar 2012 19:11:02 +0530

On 03/09/2012 02:26 AM, Kurt Seifried wrote:

Just looking through http://www.php.net/ChangeLog-5.php#5.4.0

Fixed bug #55500 (Corrupted $_FILES indices lead to security concern).

https://bugs.php.net/bug.php?id=55500
(still locked)

But the blog posting:

https://nealpoole.com/blog/2011/10/directory-traversal-via-php-multi-file-uploads/

has details and it appears to be a security issue. I have emailed
security () php net twice, no response in a week so I'm sending the request
to OSS-sec.


This has been assigned CVE-2012-1172.


--
Huzaifa Sidhpurwala / Red Hat Security Response Team

Current thread:

CVE request for PHP 5.3.x Corrupted $_FILES indices lead to security concern Kurt Seifried (Mar 08)
- Re: CVE request for PHP 5.3.x Corrupted $_FILES indices lead to security concern Kurt Seifried (Mar 08)
- Re: CVE request for PHP 5.3.x Corrupted $_FILES indices lead to security concern Huzaifa Sidhpurwala (Mar 13)