Vigil@nce - PHP: file access via the null character
July 2015 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
When a PHP application does not filter null characters in its
parameters, and then uses these parameters to access to a file,
the name of the file which is really accessed is truncated.
Impacted products: Debian, Fedora, openSUSE, PHP, RHEL, Slackware,
SUSE Linux Enterprise Desktop, SLES, Synology DSM, Synology DSxxx,
Synology RSxxx, Ubuntu
Severity: 2/4
Creation date: 18/05/2015
DESCRIPTION OF THE VULNERABILITY
The PHP language offers several file processing functions:
set_include_path(), tempnam(), rmdir() and readlink().
The C language uses the null ’\0’ character as the end of a
string, but the PHP language allows a string to contain a null:
"str\0ing".
File processing functions (implemented in C) truncate the file
name after the null character. However, the optional PHP code
checking the file name validity does not truncate the file name.
This inconsistency can for example allow the access to a file,
even if its extension is invalid.
When a PHP application does not filter null characters in its
parameters, and then uses these parameters to access to a file,
the name of the file which is really accessed is therefore
truncated.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/PHP-file-access-via-the-null-character-16918