CVE-2015-3412 in PHP
Summary
by MITRE
PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 does not ensure that pathnames lack %00 sequences, which might allow remote attackers to read arbitrary files via crafted input to an application that calls the stream_resolve_include_path function in ext/standard/streamsfuncs.c, as demonstrated by a filename\0.extension attack that bypasses an intended configuration in which client users may read files with only one specific extension.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 05/22/2022
The vulnerability identified as CVE-2015-3412 represents a critical file inclusion flaw in PHP versions prior to specific patches, affecting the 5.4, 5.5, and 5.6 release lines. This vulnerability stems from insufficient validation of pathname sequences containing null bytes, specifically the %00 character sequence that represents a null terminator in URL encoding. The flaw exists within the stream_resolve_include_path function located in the ext/standard/streamsfuncs.c file, which is responsible for resolving include paths in PHP applications. When applications utilize this function to process user-supplied input for file inclusion operations, the lack of proper null byte sanitization creates a pathway for malicious actors to manipulate file access controls.
The technical exploitation of this vulnerability occurs through a filename injection technique that leverages the null byte truncation feature of the underlying operating system. Attackers can craft malicious input containing a null byte sequence that bypasses intended file extension restrictions, allowing them to access files that should otherwise be protected or restricted. This occurs because the PHP runtime does not properly sanitize the input before passing it to the underlying system calls, enabling the null byte to truncate the filename at an arbitrary point. The vulnerability is particularly dangerous because it can bypass security mechanisms that rely on file extension validation, such as configuration settings that permit access to files with only specific extensions like .php, .txt, or .html.
From an operational perspective, this vulnerability creates significant risks for web applications that depend on PHP for dynamic content delivery and file handling operations. The impact extends beyond simple information disclosure, as attackers can potentially access sensitive files including configuration files, database credentials, application source code, and other confidential data stored on the server. The vulnerability affects any application that uses the stream_resolve_include_path function or similar path resolution mechanisms, making it particularly widespread across the PHP ecosystem. This flaw can be exploited in various attack scenarios including remote code execution when combined with other vulnerabilities, or simple file disclosure when the target files contain sensitive information. The attack vector is particularly insidious because it can be executed through standard web application interfaces without requiring special privileges or complex exploitation techniques.
Organizations should prioritize immediate patching of affected PHP versions to mitigate this vulnerability, with the specific patches available for PHP 5.4.40, 5.5.24, and 5.6.8 releases. Security teams should implement additional protective measures including input validation at multiple layers, proper sanitization of user-supplied filenames, and monitoring for suspicious file access patterns. The vulnerability aligns with CWE-170, which describes improper null termination handling in string operations, and represents a classic example of a buffer over-read vulnerability that can be exploited through improper input validation. From an ATT&CK framework perspective, this vulnerability maps to T1059 for remote code execution and T1083 for file and directory discovery, making it a significant threat vector in the adversary lifecycle. Organizations should also consider implementing web application firewalls and runtime application self-protection mechanisms to detect and prevent exploitation attempts. The vulnerability serves as a reminder of the critical importance of proper input validation and the potential consequences of insufficient sanitization of user-supplied data in server-side scripting environments.