CVE-2011-2202

PHP < 5.3.7 - Path Traversal and Arbitrary File Write via Multipart Form-Data Filename

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2011-2202. PoCs published by Krzysztof Kotowicz.

AI-analyzed exploit summary This exploit demonstrates a security-bypass vulnerability in PHP 5.3.6, allowing an attacker to create arbitrary files from the root directory by manipulating the filename in a multipart/form-data POST request. The vulnerability arises due to improper handling of filenames containing slashes.

Description

The rfc1867_post_handler function in main/rfc1867.c in PHP before 5.3.7 does not properly restrict filenames in multipart/form-data POST requests, which allows remote attackers to conduct absolute path traversal attacks, and possibly create or overwrite arbitrary files, via a crafted upload request, related to a "file path injection vulnerability."

Exploits (1)

exploitdb WORKING POC VERIFIED

by Krzysztof Kotowicz · textremotephp

https://www.exploit-db.com/exploits/35855

View Code ZIP pw:eip

This exploit demonstrates a security-bypass vulnerability in PHP 5.3.6, allowing an attacker to create arbitrary files from the root directory by manipulating the filename in a multipart/form-data POST request. The vulnerability arises due to improper handling of filenames containing slashes.

Classification

Working Poc 90%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: PHP 5.3.6

No auth needed

Prerequisites: A web server running PHP 5.3.6 with a file upload endpoint

MITRE ATT&CK

T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (21)

Core 21

Core References

Vendor Advisory x_refsource_confirm

http://www.php.net/archive/2011.php#id2011-08-18-1

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/48259

Patch x_refsource_confirm

http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/main/rfc1867.c?r1=312103&r2=312102&pathrev=312103

Mailing List vendor-advisory x_refsource_hp

http://marc.info/?l=bugtraq&m=133469208622507&w=2

Patch x_refsource_confirm

http://svn.php.net/viewvc?view=revision&revision=312103

Vendor Advisory x_refsource_confirm

http://support.apple.com/kb/HT5130

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/49241

Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://securitytracker.com/id?1025659

Third Party Advisory, VDB Entry vdb-entry x_refsource_xf

https://exchange.xforce.ibmcloud.com/vulnerabilities/67999

Vendor Advisory vendor-advisory x_refsource_mandriva

http://www.mandriva.com/security/advisories?name=MDVSA-2011:165

Various Sources x_refsource_confirm

http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/NEWS?view=markup&pathrev=312103

Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/44874

Third Party Advisory vendor-advisory x_refsource_debian

http://www.debian.org/security/2011/dsa-2266

Mailing List vendor-advisory x_refsource_apple

http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html

Patch mailing-list x_refsource_mlist

http://openwall.com/lists/oss-security/2011/06/13/15

Various Sources x_refsource_confirm

http://bugs.php.net/bug.php?id=54939

Vendor Advisory vendor-advisory x_refsource_redhat

http://www.redhat.com/support/errata/RHSA-2011-1423.html

Vendor Advisory x_refsource_confirm

http://www.php.net/ChangeLog-5.php#5.3.7

Patch mailing-list x_refsource_mlist

http://openwall.com/lists/oss-security/2011/06/12/5

Vendor Advisory vendor-advisory x_refsource_redhat

http://rhn.redhat.com/errata/RHSA-2012-0071.html

Exploit x_refsource_misc

http://pastebin.com/1edSuSVN

Scores

EPSS 0.1923

EPSS Percentile 97.0%

Details

CWE

CWE-264

Status published

Products (45)

php/php 1.0

php/php 2.0

php/php 2.0b10

php/php 3.0

php/php 3.0.1

php/php 3.0.2

php/php 3.0.3

php/php 3.0.4

php/php 3.0.5

php/php 3.0.6

... and 35 more

Published Jun 16, 2011

Tracked Since Feb 18, 2026