PHP Permissions Privileges and Access Controls Vulnerability - CVE-2011-2202

The rfc1867_post_handler function in main/rfc1867.c in PHP before 5.3.7 does not properly restrict filenames in multipart/form-data POST requests which allows remote attackers to conduct absolute path traversal attacks and possibly create or overwrite arbitrary files via a crafted upload request related to a quotfile path injection vulnerability.quot