PHP Exposure of Sensitive Information to an Unauthorized Actor Vulnerability - CVE-2015-3412

PHP before 5.4.40 5.5.x before 5.5.24 and 5.6.x before 5.6.8 does not ensure that pathnames lack 00 sequences which might allow remote attackers to read arbitrary files via crafted input to an application that calls the stream_resolve_include_path function in ext/standard/streamsfuncs.c as demonstrated by a filename0.extension attack that bypasses an intended configuration in which client users may read files with only one specific extension.