PHP Improper Input Validation Vulnerability - CVE-2015-3411

PHP before 5.4.40 5.5.x before 5.5.24 and 5.6.x before 5.6.8 does not ensure that pathnames lack 00 sequences which might allow remote attackers to read or write to arbitrary files via crafted input to an application that calls (1) a DOMDocument load method (2) the xmlwriter_open_uri function (3) the finfo_file function or (4) the hash_hmac_file function as demonstrated by a filename0.xml attack that bypasses an intended configuration in which client users may read only .xml files.