Upstream information
Description
The rfc1867_post_handler function in main/rfc1867.c in PHP before 5.3.7 does not properly restrict filenames in multipart/form-data POST requests, which allows remote attackers to conduct absolute path traversal attacks, and possibly create or overwrite arbitrary files, via a crafted upload request, related to a "file path injection vulnerability."NVD CVSS v2 Base Score: 6.4 (AV:N/AC:L/Au:N/C:N/I:P/A:P)
Novell/SUSE information
Novell Bugzilla entry: 699711 SUSE Security Advisories:- SUSE-SU-2012:0496-1, published Thu, 12 Apr 2012 23:08:15 +0200 (CEST)
- openSUSE-SU-2011:1137-1, published Mon, 17 Oct 2011 19:08:26 +0200 (CEST)
- openSUSE-SU-2011:1138-1, published Mon, 17 Oct 2011 19:08:32 +0200 (CEST)
List of released packages
| Product(s) | Fixed package version(s) | References |
|---|---|---|
| openSUSE 11.3 |
| |
| openSUSE 11.3 |
| |
| openSUSE 11.4 DEBUGINFO |
| |
| openSUSE 11.4 |
| |
| SLE 11 SP1 DEBUGINFO |
| Builds SAT Patch Nr: 5964 |
| SUSE Linux Enterprise Software Development Kit 11 SP1 SUSE Linux Enterprise Software Development Kit 11 SP2 |
| Builds SAT Patch Nr: 5964 |
| SUSE Linux Enterprise Software Development Kit 11 SP1 SUSE Linux Enterprise Software Development Kit 11 SP2 |
| Builds SAT Patch Nr: 5964 |
| SUSE Linux Enterprise Server 11 SP1 SUSE Linux Enterprise Server 11 SP1 for VMware SUSE Linux Enterprise Server 11 SP2 |
| Builds SAT Patch Nr: 5964 |