cbcvebase.
CVE-2012-2688
published 2012-07-20

CVE-2012-2688: Unspecified vulnerability in the _php_stream_scandir function in the stream implementation in PHP before 5.3.15 and 5.4.x before 5.4.5 has unknown impact and…

PriorityP272critical10CVSS 2.0
AVNACLAuNCCICAC
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
10.47%
95.2th percentile
Unspecified vulnerability in the _php_stream_scandir function in the stream implementation in PHP before 5.3.15 and 5.4.x before 5.4.5 has unknown impact and remote attack vectors, related to an "overflow."

Affected

111 ranges· showing 25
VendorProductVersion rangeFixed in
phpphp<= 5.3.14
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability is triggered when PHP's scandir() / _php_stream_scandir() processes a directory containing a number of files exceeding INT_MAX (2,147,483,647); monitor for abnormally large directory scans or file-upload activity that could stage such a condition.
  • The root cause is an integer signedness issue leading to a heap-based buffer overflow in _php_stream_scandir; detection should focus on PHP processes crashing or executing unexpected child processes when scandir() is invoked on attacker-influenced directories.
  • Patch reference commit for PHP 5.3/5.4 fix is fc74503792b1ee92e4b813690890f3ed38fa3ad5; verify this commit is present in deployed PHP source to confirm remediation.
  • ·Exploitation requires more than 2,147,483,647 files in the scanned directory, making real-world exploitation extremely difficult; severe filesystem/performance degradation would likely be observed before the threshold is reached.
  • ·Affected versions are PHP before 5.3.15 and PHP 5.4.x before 5.4.5; systems running these versions with web-accessible file upload directories are at elevated risk.
  • ·A practical mitigation is to enforce an upper file-count limit on directories accessible to PHP's scandir(), well below INT_MAX, to prevent the overflow condition from being reachable.

CVSS provenance

nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck10.0CRITICAL
vendor_redhat10.0CRITICAL
vendor_ubuntu4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.