View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0006521||CentOS-6||php||public||2013-06-26 08:14||2014-01-10 21:33|
|Target Version||Fixed in Version||6.5|
|Summary||0006521: PHP 5.3.3 version is vulnerable to the NULL Byte attack (CVE-2006-7243)|
|Description||It was reported , that PHP would accept filenames with a NULL character in the string, and silently truncate anything after the NULL character. This could lead to unexpected results and could possibly disclose the existence of certain system files. This was initially reported against the file_exists() function, but a number of other functions were changed to prevent PHP from considering paths with a NULL character as being valid .|
This has been corrected in the upstream 5.3.4 release .
This issue can potentially impact sane PHP code and is not limited to safe_mode / open_basedir restrictions.
|Tags||No tags attached.|
Adding upstream bugzilla entry for reference:
Allthough not shure when this will be fixed. Also affects C5 (both php and php53).
|php53 for C5 got this issue fixed with https://rhn.redhat.com/errata/RHSA-2013-1307.html|
|Also now fixed in C6 with https://rhn.redhat.com/errata/RHSA-2013-1615.html (release of 6.5).|
|2013-06-26 08:14||devrock4||New Issue|
|2013-06-26 16:44||tigalch||Note Added: 0017599|
|2013-11-19 20:09||tigalch||Note Added: 0018370|
|2014-01-10 21:33||tigalch||Note Added: 0019024|
|2014-01-10 21:33||tigalch||Status||new => resolved|
|2014-01-10 21:33||tigalch||Fixed in Version||=> 6.5|
|2014-01-10 21:33||tigalch||Resolution||open => fixed|