CVE-2016-10712

Name of the Vulnerable Software and Affected Versions PHP versions prior to 5.5.32 PHP versions 5.6.x prior to 5.6.18 PHP versions 7.x prior to 7.0.3

Description The issue arises from insufficient input validation in the stream get meta data function, allowing an attacker to control the return values if the input can be controlled, such as during file uploads. For instance, a call like $uri = stream get meta data(fopen($file, "r"))['uri'] can mishandle cases where $file is set to data:text/plain;uri=eviluri, enabling an attacker to set metadata. This can potentially impact the integrity of information.

Recommendations For PHP versions prior to 5.5.32, update to version 5.5.32 or later. For PHP versions 5.6.x prior to 5.6.18, update to version 5.6.18 or later. For PHP versions 7.x prior to 7.0.3, update to version 7.0.3 or later.