CVE-2010-2950

Name of the Vulnerable Software and Affected Versions PHP versions 5.3.x through 5.3.3

Description A format string vulnerability exists in the phar extension, specifically in stream.c, allowing context-dependent attackers to obtain sensitive information, such as memory contents, and possibly execute arbitrary code. This issue arises from a crafted phar:// URI that is not properly handled by the phar stream flush function, leading to errors in the php stream wrapper log error function.

Recommendations For PHP versions 5.3.x through 5.3.3, consider updating to a version that includes a complete fix for this issue, as the current fix is incomplete. As a temporary workaround, restrict access to the phar extension to minimize the risk of exploitation.