Description

In PHP before 5.5.32, 5.6.x before 5.6.18, and 7.x before 7.0.3, all of the return values of stream_get_meta_data can be controlled if the input can be controlled (e.g., during file uploads). For example, a "$uri = stream_get_meta_data(fopen($file, "r"))['uri']" call mishandles the case where $file is data:text/plain;uri=eviluri, -- in other words, metadata can be set by an attacker.

Remediation

References

CVE-2016-10712

Related Vulnerabilities

Moodle Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2015-3178)

WordPress Permissions, Privileges, and Access Controls Vulnerability (CVE-2009-2853)

WordPress Plugin Import any XML or CSV File to WordPress Arbitrary File Upload (3.2.3)

Drupal Core 8.5.0 Remote Code Execution (8.5.0)

WordPress Plugin Nextend Facebook Connect Unspecified Vulnerability (1.5.7)

Severity

High

Classification

CVE-2016-10712 CWE-20 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Tags

Missing Update Known Vulnerabilities