PHP move_uploaded_file security restrictions bypass Vulnerability(CVE-2 0 1 5-2 3 4 8)-vulnerability warning-the black bar safety net

ID MYHACK58:62201560726
Type myhack58
Reporter 佚名
Modified 2015-04-04T00:00:00


Affected system:

PHP PHP 5.6. x

PHP PHP 5.5. x

PHP PHP 5.4.39


CVE(CAN) ID: CVE-2 0 1 5-2 3 4 8

PHP is a General-purpose open source scripting language.

PHP 5.4.39, and 5.5. x, 5.6. x version of ext/standard/basic_functions. c, move_uploaded_file encountered\x00 characters will truncate the path name, in the realization on the presence of security vulnerabilities, by configuration parameters, a remote attacker could bypass the target extension limit to the illegal name of the created file.

<source: PHP>

Recommendation: vendor patch:



The current vendors have released an upgrade patch to fix this security issue, please go to the manufacturers home page download: