CVE-2004-0959 in PHPinfo

Summary

by MITRE

rfc1867.c in PHP before 5.0.2 allows local users to upload files to arbitrary locations via a PHP script with a certain MIME header that causes the "$_FILES" array to be modified.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/07/2025

The vulnerability described in CVE-2004-0959 represents a critical file upload security flaw in PHP versions prior to 5.0.2 that stems from improper handling of MIME headers during file upload processing. This issue specifically affects the rfc1867.c component which is responsible for processing file uploads according to the RFC 1867 specification for file uploads in HTML forms. The vulnerability arises when a malicious local user crafts a PHP script with a specific MIME header that manipulates the $_FILES array, enabling unauthorized file placement outside of intended directories.

The technical root cause of this vulnerability lies in the insufficient validation of file upload parameters and the lack of proper sanitization of MIME header information. When PHP processes file uploads, it relies on the $_FILES superglobal array to store information about uploaded files including their temporary locations, names, sizes, and MIME types. In vulnerable versions, the system fails to properly validate the MIME headers provided by the client, allowing attackers to inject malicious file paths that bypass normal upload restrictions. This flaw operates at the application level and specifically targets the file handling mechanisms within PHP's file upload processing pipeline.

The operational impact of this vulnerability is severe as it allows local attackers to potentially place malicious files in arbitrary locations on the server filesystem, which could lead to privilege escalation, remote code execution, or persistent backdoor installation. Since the vulnerability affects local users rather than remote attackers, it requires an attacker to already have access to the system or a low-privilege account that can execute PHP scripts. However, once exploited, the consequences can be devastating as attackers can leverage this to move beyond the initial access point and establish more persistent control over the affected system. The vulnerability essentially undermines the fundamental security assumptions of file upload restrictions and server-side file handling.

This vulnerability maps directly to CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') and CWE-434 - Unrestricted Upload of File with Dangerous Type, making it a compound security issue that combines path traversal with insecure file handling practices. From an ATT&CK framework perspective, this vulnerability aligns with T1059.007 - Command and Scripting Interpreter: Python and T1505.003 - Server Software Component: Web Shell, as it enables the upload of malicious files that can be executed by the web server. The vulnerability also relates to T1078 - Valid Accounts and T1190 - Exploit Public-Facing Application, as it represents an internal exploitation vector that can be leveraged to gain unauthorized access to server resources. Organizations should implement immediate mitigations including upgrading to PHP 5.0.2 or later, implementing strict file upload validation, and enforcing proper file path restrictions to prevent attackers from manipulating the $_FILES array through crafted MIME headers.

The remediation strategy involves not only upgrading to patched PHP versions but also implementing comprehensive file upload security measures such as MIME type validation, file extension filtering, and strict directory permissions. Organizations should also consider implementing web application firewalls and monitoring for unusual file upload patterns. The vulnerability demonstrates the critical importance of proper input validation and the dangers of trusting client-supplied information without adequate sanitization, particularly in web application frameworks that handle file operations.

Reservation

10/13/2004

Disclosure

11/03/2004

Moderation

accepted

Entry

VDB-22376

CPE

ready

EPSS

0.00577

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!