Authorization Bypass


PHP is vulnerable to authorization bypass. File names with NULL characters `\0` are not properly handled, which would allow a remote attacker to abuse the vulnerability to create a PHP script to access arbitrary files and bypass file system access restrictions. This is demonstrated by entering a NULL character such as `.php\0.jpg` at the end of the argument to the `file_exists` function, which causes access controls to treat the file as an image `.jpg` file, but process the file as a `.php` file.

Affected Software

CPE Name Name Version
php 5.3.3__3.el6_2.5
php 5.3.3__23.el6_4
php 5.1.6__39.el5_8
php 5.3.3__3.el6
php 5.1.6__15.el5
php 5.3.3__14.el6_3
php 5.3.3__22.el6
php 5.3.3__3.el6_2.8
php 5.1.6__23.2.el5_3
php 5.1.6__27.el5_5.3
php 5.3.2__6.el6
php 5.1.6__11.el5
php 5.1.6__40.el5_9
php 5.1.6__27.el5
php 5.1.6__34.el5_8
php 5.1.6__12.el5
php 5.1.6__27.el5_7.5
php 5.3.3__3.el6_1.3
php 5.1.6__20.el5
php 5.1.6__32.el5
php 5.1.6__43.el5_10
php 5.3.2__6.el6_0.1
php 5.1.6__23.el5
php 5.1.6__7.el5
php 5.1.6__27.el5_7.4
php 5.1.6__20.el5_2.1
php 5.1.6__5.el5
php 5.1.6__24.el5_4.5
php 5.3.3__3.el6_2.6
php53 5.3.3__1.el5_7.5
php53 5.3.3__1.el5_6.1
php53 5.3.3__13.el5_8
php53 5.3.3__13.el5_9.1
php53 5.3.3__1.el5_7.6
php53 5.3.3__1.el5_7.3
php53 5.3.3__5.el5
php53 5.3.3__7.el5_8
php53 5.3.3__1.el5