Miggo Logo

CVE-2006-3360: phpSysInfo allows remote attackers to determine the existence of arbitrary files via a .. (dot dot) sequence

5

CVSS Score

Basic Information

EPSS Score
0.91513%
Published
5/1/2022
Updated
3/30/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
AV:N/AC:L/Au:N/C:P/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
phpsysinfo/phpsysinfocomposer< 3.2.53.2.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from how the 'lang' parameter was processed. The pre-patch code used basename($GET['lang']) to sanitize input, but PHP's basename() is ineffective against null-byte injection (e.g., '../../etc/passwd%00' becomes '../../etc/passwd' after URL decoding, and the null byte truncates the string internally). When combined with file_exists(), this allowed checking for files outside the intended directory. The patch replaced this flawed sanitization with a regex filter ([A-Za-z-]), confirming the original functions were the vulnerability source.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ir**tory tr*v*rs*l vuln*r**ility in in**x.p*p in p*pSysIn*o prior to *.*.* *llows r*mot* *tt**k*rs to **t*rmin* t** *xist*n** o* *r*itr*ry *il*s vi* * .. (*ot *ot) s*qu*n** *n* * tr*ilin* null (%**) *yt* in t** ln* p*r*m*t*r, w*i** will *ispl*y * *i

Reasoning

T** vuln*r**ility st*ms *rom *ow t** 'l*n*' p*r*m*t*r w*s pro**ss**. T** pr*-p*t** *o** us** **s*n*m*($_**T['l*n*']) to s*nitiz* input, *ut P*P's **s*n*m*() is in*****tiv* ***inst null-*yt* inj**tion (*.*., '../../*t*/p*ssw*%**' ***om*s '../../*t*/p*