CVE-2014-9767

Name of the Vulnerable Software and Affected Versions PHP versions prior to 5.4.45 PHP versions 5.5.x prior to 5.5.29 PHP versions 5.6.x prior to 5.6.13 HHVM versions prior to 3.12.1

Description The issue is related to a directory traversal vulnerability in the ZipArchive::extractTo function. This vulnerability allows remote attackers to create arbitrary empty directories via a crafted ZIP archive. The vulnerability is caused by insufficient path name restrictions in the ZipArchive::extractTo function, which can be exploited by remote attackers to create arbitrary directories.

Recommendations For PHP versions prior to 5.4.45, update to version 5.4.45 or later. For PHP versions 5.5.x prior to 5.5.29, update to version 5.5.29 or later. For PHP versions 5.6.x prior to 5.6.13, update to version 5.6.13 or later. For HHVM versions prior to 3.12.1, update to version 3.12.1 or later.