Plataforma
php
Componente
php
Corrigido em
7.2.26
7.3.13
7.4.1
CVE-2019-11044 is a path traversal vulnerability affecting PHP versions 7.2.x prior to 7.2.26, 7.3.x prior to 7.3.13, and 7.4.0 specifically on Windows systems. This flaw arises from the link() function's improper handling of embedded null bytes (\0) within filenames. Consequently, an attacker could potentially bypass file access controls and read arbitrary files on the system.
The vulnerability allows an attacker to potentially read arbitrary files on the server by crafting filenames containing embedded null bytes. The link() function, intended for creating symbolic links, incorrectly interprets these null bytes as the end of the filename, allowing the attacker to specify paths beyond the intended directory. This could lead to sensitive information disclosure, such as configuration files, source code, or even system files, depending on the application's file access logic. While the CVSS score is LOW, the potential for sensitive data exposure makes this a significant concern, particularly in environments where file access controls are not strictly enforced.
CVE-2019-11044 was publicly disclosed on December 23, 2019. There is no indication of active exploitation campaigns targeting this vulnerability. No public proof-of-concept exploits have been widely reported. The vulnerability is not currently listed on the CISA KEV catalog. The LOW CVSS score reflects the relatively limited impact and difficulty of exploitation.
Applications built using PHP versions 7.2.0–7.4.1 running on Windows are at risk. This includes web applications, command-line scripts, and any other PHP code that utilizes the link() function for file operations. Shared hosting environments where users have the ability to upload or manipulate files are particularly vulnerable.
• windows / server:
Get-WinEvent -FilterXPath "//Event[System[Provider[@Name='Microsoft-Windows-Sysinternals-PsExec']]]" | Select-String -Pattern '\0'• generic web:
curl -I 'http://your-php-app.com/link.php?file=../../../../etc/passwd%00'Check the response headers and body for any unexpected file content or error messages indicating path traversal.
disclosure
Status do Exploit
EPSS
8.02% (percentil 92%)
Vetor CVSS
The primary mitigation for CVE-2019-11044 is to upgrade to a patched version of PHP. Specifically, upgrade to PHP 7.4.1 or later. If immediate upgrading is not feasible, consider implementing stricter input validation on filenames used in file operations within your PHP applications. Sanitize user-supplied filenames to remove or escape null bytes before passing them to the link() function. Web Application Firewalls (WAFs) configured to detect path traversal attempts could also provide a temporary layer of defense. After upgrading, confirm the fix by attempting to create a symbolic link with a filename containing a null byte; the operation should fail with an appropriate error.
Atualize para a versão 7.2.26, 7.3.13 ou 7.4.1 do PHP, ou para uma versão posterior. Isso corrige a vulnerabilidade que permite a truncagem de nomes de arquivo após um byte nulo na função link() no Windows.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2019-11044 is a path traversal vulnerability in PHP 7.2.0–7.4.1 on Windows where the link() function mishandles null bytes in filenames, allowing attackers to potentially read arbitrary files.
If you are running PHP 7.2.x before 7.2.26, 7.3.x before 7.3.13, or 7.4.0 on a Windows system, you are potentially affected by this vulnerability.
Upgrade to PHP 7.4.1 or later to resolve the vulnerability. As a temporary measure, implement stricter input validation on filenames.
There is currently no evidence of active exploitation campaigns targeting CVE-2019-11044.
Refer to the PHP security advisory: https://security.php.net/CVE-2019-11044
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.