CVE-2019-11045

PHP DirectoryIterator class accepts filenames with embedded null byte and treats them as terminating at that byte

Publication Date	2019-12-22
Severity	Moderate
Type	Privilege Escalation
Affected PHP Versions	5.6.0 - 5.6.40 7.0.0 - 7.0.33 7.1.0 - 7.1.33 7.2.0 - 7.2.25 7.3.0 - 7.3.12 7.4.0
Fixed Product Versions	ZendPHP 5.6 ZendPHP 7.1 ZendPHP 7.2 ZendPHP 7.3 ZendServer 2019.0.4

CVE Details

In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP's DirectoryIterator class accepts filenames with embedded null bytes (\u0000) and treats them as terminating at that byte. This can lead to security vulnerabilities when applications check paths that the code is allowed to access.

Recommendations

Filter paths and filenames before providing them to the DirectoryIterator constructor:

preg_replace(&#039;/\\0/&#039;, &quot;&quot;, $var);

When possible, update to PHP 7.2.26 or later, PHP 7.3.13 or later, or 7.4.1 or later.

< View all CVEs

Featured Product

ZendPHP

2025 PHP Landscape Report

CVE Details

Recommendations