Vigil@nce: PHP, file access via the null character
November 2010 by Vigil@nce
This bulletin was written by Vigil@nce: http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
When a PHP application does not filter null characters in its
parameters, and then uses these parameters to access to a file,
the name of the file which is really accessed is truncated.
– Severity: 2/4
– Creation date: 19/11/2010
DESCRIPTION OF THE VULNERABILITY
The PHP language offers several file processing functions:
include(), copy(), is_file(), file_get_contents(),
file_put_contents(), file(), glob(), is_dir(), file_exists(),
fileatime(), filectime(), filegroup(), fileinode(), filemtime(),
fileowner(), fileperms(), filesize(), filetype(), fopen(),
is_executable(), is_link(), is_readable(), is_writable(),
lchgrp(), lchown(), link(), linkinfo(), lstat(), mkdir(),
pathinfo(), popen(), readfile(), realpath(), rename(), rmdir(),
stat(), symlink(), touch(), unlink(), tempnam().
The C language uses the null ’\0’ character as the end of a
string, but the PHP language allows a string to contain a null:
"str\0ing".
File processing functions (implemented in C) truncate the file
name after the null character. However, the optional PHP code
checking the file name validity does not truncate the file name.
This inconsistency can for example allow the access to a file,
even if its extension is invalid.
When a PHP application does not filter null characters in its
parameters, and then uses these parameters to access to a file,
the name of the file which is really accessed is therefore
truncated.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/PHP-file-access-via-the-null-character-10139