CVE-2019-11045
PHP DirectoryIterator class accepts filenames with embedded null byte and treats them as terminating at that byte
Publication Date | 2019-12-22 |
---|---|
Severity | Moderate |
Type | Privilege Escalation |
Affected PHP Versions |
|
Fixed Product Versions |
|
CVE Details
In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP's DirectoryIterator
class accepts filenames with embedded null bytes (\u0000
) and treats them as terminating at that byte. This can lead to security vulnerabilities when applications check paths that the code is allowed to access.
Recommendations
Filter paths and filenames before providing them to the DirectoryIterator
constructor:
preg_replace('/\\0/', "", $var);
When possible, update to PHP 7.2.26 or later, PHP 7.3.13 or later, or 7.4.1 or later.