CVE-2011-2202

Name of the Vulnerable Software and Affected Versions PHP versions prior to 5.3.7

Description The issue concerns a problem with the rfc1867 post handler function in PHP, which does not properly restrict filenames in multipart/form-data POST requests. This allows remote attackers to conduct absolute path traversal attacks and possibly create or overwrite arbitrary files through a crafted upload request. The issue is related to a "file path injection vulnerability."

Recommendations For PHP versions prior to 5.3.7, update to version 5.3.7 or later to resolve the issue. As a temporary workaround, consider restricting access to the rfc1867 post handler function in main/rfc1867.c to minimize the risk of exploitation. Avoid using the vulnerable function until a patch is available.