This happens because VRS doesn't set CURLOPT_SAFE_UPLOAD to true (it's supposed to default to true in PHP >=5.6.0, but it doesn't in production with 5.6.99-hhvm), which allows curl to try to be "helpful" by interpreting array( 'foo' => '@bar' ) as a file upload.
I haven't managed to exploit this from the web interface because Parsoid doesn't seem to like file uploads and returns a 404 rather than exposing the contents of the file. Also, absolute paths like @/etc/crontab don't appear to work.
patches:
- master -
- 1.23 - included in
- 1.24 - included in
- 1.25 - included in
- 1.26 - included in
affected versions:
type: CWE-159
CVE: CVE-2015-8625