CVE-2016-10712 in PHP
Summary
by MITRE
In PHP before 5.5.32, 5.6.x before 5.6.18, and 7.x before 7.0.3, all of the return values of stream_get_meta_data can be controlled if the input can be controlled (e.g., during file uploads). For example, a "$uri = stream_get_meta_data(fopen($file, "r"))['uri']" call mishandles the case where $file is data:text/plain;uri=eviluri, -- in other words, metadata can be set by an attacker.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 02/06/2023
This vulnerability exists in PHP versions prior to 5.5.32, 5.6.18, and 7.0.3 where the stream_get_meta_data function fails to properly validate input parameters, creating a potential attack vector for malicious data manipulation. The flaw specifically affects how the function handles URI data streams, allowing attackers to inject arbitrary metadata through controlled input sources. When an attacker provides a file path containing a specially crafted data URI such as data:text/plain;uri=eviluri, the stream_get_meta_data function incorrectly processes the metadata, leading to potential security implications. This vulnerability falls under the CWE-20 category of Improper Input Validation, specifically manifesting as a case where untrusted data is not properly sanitized before being processed by the stream handling mechanisms. The issue directly impacts the security of file upload and stream processing operations within PHP applications.
The technical exploitation of this vulnerability occurs when PHP applications use stream_get_meta_data in conjunction with user-controlled input or file paths. When a developer calls stream_get_meta_data on a file handle created from an attacker-controlled URI, the function fails to properly isolate or sanitize the metadata components. The attacker can manipulate the URI scheme to inject malicious metadata that gets returned by the function, potentially leading to information disclosure, privilege escalation, or other security consequences. This vulnerability is particularly dangerous because it operates at the stream layer of PHP's file handling system, affecting core functionality that many applications rely upon for processing uploaded files, remote data access, and various I/O operations. The issue demonstrates a classic case of insufficient input sanitization where the application trusts the metadata returned by stream operations without proper validation or filtering.
The operational impact of CVE-2016-10712 extends beyond simple data manipulation to potentially enable more sophisticated attacks within applications that process file uploads or remote data streams. Attackers could leverage this vulnerability to manipulate the metadata returned by stream operations, potentially causing applications to misinterpret file characteristics, access unauthorized resources, or behave in unexpected ways that could be exploited for further attacks. The vulnerability affects a fundamental PHP stream handling mechanism, making it particularly concerning for web applications that process user uploads or access remote data sources. Applications using PHP versions prior to the patched releases could be vulnerable to attackers who craft malicious file paths containing data URIs, potentially leading to information leakage or system compromise. This vulnerability aligns with ATT&CK technique T1059.007 for Command and Scripting Interpreter and T1566.001 for Phishing, as it enables attackers to manipulate file processing behavior and potentially execute malicious code through crafted input.
Organizations should immediately upgrade to PHP versions 5.5.32, 5.6.18, or 7.0.3 or later to remediate this vulnerability. Additionally, developers should implement proper input validation and sanitization for all file paths and URI data before processing them through stream functions. Applications should avoid directly using user-controllable input in stream operations without proper sanitization, and should implement strict validation of URI schemes and metadata components. Security monitoring should be enhanced to detect unusual stream operations or metadata manipulation patterns that could indicate exploitation attempts. The vulnerability demonstrates the importance of input validation at all layers of application processing, particularly for functions that handle stream operations and file metadata. Organizations should also consider implementing web application firewalls and input filtering mechanisms to prevent malicious URI data from reaching vulnerable PHP functions, as this vulnerability can be exploited through various attack vectors including file upload forms and remote data access points.