#VU32501 Input validation error in PHP - CVE-2014-5120
Vulnerability identifier: #VU32501
Vulnerability risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID:
CWE-ID:
CWE-20
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
PHP
Universal components / Libraries /
Scripting languages
Vendor: PHP Group
Description
The vulnerability allows a remote non-authenticated attacker to manipulate or delete data.
gd_ctx.c in the GD component in PHP 5.4.x before 5.4.32 and 5.5.x before 5.5.16 does not ensure that pathnames lack %00 sequences, which might allow remote attackers to overwrite arbitrary files via crafted input to an application that calls the (1) imagegd, (2) imagegd2, (3) imagegif, (4) imagejpeg, (5) imagepng, (6) imagewbmp, or (7) imagewebp function.
Mitigation
Install update from vendor's website.
Vulnerable software versions
PHP: 5.4.0 - 5.4.31
External links
https://lists.apple.com/archives/security-announce/2015/Apr/msg00001.html
https://lists.opensuse.org/opensuse-updates/2014-09/msg00024.html
https://php.net/ChangeLog-5.php
https://rhn.redhat.com/errata/RHSA-2014-1327.html
https://rhn.redhat.com/errata/RHSA-2014-1765.html
https://rhn.redhat.com/errata/RHSA-2014-1766.html
https://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html
https://bugs.php.net/bug.php?id=67730
https://support.apple.com/HT204659
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
