php fileinfo extension vulnerability

Question

My shared hosting service is saying that they not turning on fileinfo because of security vulnerability. Can anybody explain me what kind of security issues are there in the fileinfo extension?

Answer 1

The function fileinfo has a security Vulnerability which can cause a Denial Of Service attack.

Quote from cevdetails.com

The mget function in libmagic/softmagic.c in the Fileinfo component in PHP 5.4.x before 5.4.16 allows remote attackers to cause a denial of service (invalid pointer dereference and application crash) via an MP3 file that triggers incorrect MIME type detection during access to an finfo object.