#VU10948 Improper input validation in PHP - CVE-2016-10712

Cybersecurity Help s.r.o.

Published: 2018-03-13 | Updated: 2018-03-14

Vulnerability identifier: #VU10948

Vulnerability risk: Low

CVSSv4.0: 5.5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Clear]

CVE-ID: CVE-2016-10712

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
PHP
Universal components / Libraries / Scripting languages

Vendor: PHP Group

Description
The vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information on the target system.

The weakness exists in the stream_get_meta_data function due to improper input validation. A remote attacker can send a specially crafted file and control metadata.

Mitigation
Update to versions 5.5.32 or later, 5.6.18 or later and 7.0.3 or later.

Vulnerable software versions

PHP: 5.5.0 - 5.5.31, 5.6.0 - 5.6.17, 7.0.0 - 7.0.2

External links
https://bugs.php.net/bug.php?id=71323

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

Latest bulletins with this vulnerability

SUSE Linux update for php53

Ubuntu update for PHP

OpenSUSE Linux update for php5

SUSE Linux update for php5

Information disclosure in PHP