Innovate faster and cut risk with PHP experts from Zend Services.
Explore Services
See How Zend Helps Leading Hosting Providers Keep Their Managed Sites on Secure PHP
Read More
Learn PHP from PHP experts with free, on-demand, and instructor led courses.
Explore Training
Submit support requests and browse self-service resources.
Explore Support
CVE-2021-21707 php: special character breaks path in xml parsing
In PHP versions 7.3.x below 7.3.33, 7.4.x below 7.4.26 and 8.0.x below 8.0.13, certain XML parsing functions, like simplexml_load_file(), URL-decode the filename passed to them. If that filename contains URL-encoded NUL character, this may cause the function to interpret this as the end of the filename, thus interpreting the filename differently from what the user intended, which may lead it to reading a different file than intended. The main cause of this vulnerability is improper input validation while parsing an Extensible Markup Language(XML) entity. A special character could allow an attacker to traverse directories. The highest threat from this vulnerability is to confidentiality and integrity.
simplexml_load_file()
NUL
If you are parsing XML in your applications, upgrade to PHP 7.3.33 or above, 7.4.26 or above, or 8.0.13 or above.
If you cannot upgrade immediately, ensure any user-supplied filenames are URL-decoded (e.g., $decodedFilename = urldecode($filename); before you pass them to an XML parsing function such as simplexml_load_file().
$decodedFilename = urldecode($filename);
Direct link to CVE-2021-21707 >
< View all CVEs
