PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 does not
ensure that pathnames lack %00 sequences, which might allow remote
attackers to read arbitrary files via crafted input to an application that
calls the stream_resolve_include_path function in
ext/standard/streamsfuncs.c, as demonstrated by a filename\0.extension
attack that bypasses an intended configuration in which client users may
read files with only one specific extension.
 tyhicks> Related to CVE-2015-3411. Represents the additional vulnerability
  discoveries found in the upstream fixes, outside of what Neal Poole
  originally disclosed in PHP bug 69353.
 mdeslaur> same commits as CVE-2015-3411
More Information

Updated: 2019-03-19 12:18:56 UTC (commit 15472795df7e9de45b82f2d36b8b419b939f97b2)