Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 

De la Théorie à la pratique





















Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

Vigil@nce: PHP, file access via the null character

November 2010 by Vigil@nce

This bulletin was written by Vigil@nce: http://vigilance.fr/

SYNTHESIS OF THE VULNERABILITY

When a PHP application does not filter null characters in its parameters, and then uses these parameters to access to a file, the name of the file which is really accessed is truncated.

- Severity: 2/4
- Creation date: 19/11/2010

DESCRIPTION OF THE VULNERABILITY

The PHP language offers several file processing functions: include(), copy(), is_file(), file_get_contents(), file_put_contents(), file(), glob(), is_dir(), file_exists(), fileatime(), filectime(), filegroup(), fileinode(), filemtime(), fileowner(), fileperms(), filesize(), filetype(), fopen(), is_executable(), is_link(), is_readable(), is_writable(), lchgrp(), lchown(), link(), linkinfo(), lstat(), mkdir(), pathinfo(), popen(), readfile(), realpath(), rename(), rmdir(), stat(), symlink(), touch(), unlink(), tempnam().

The C language uses the null ’\0’ character as the end of a string, but the PHP language allows a string to contain a null: "str\0ing".

File processing functions (implemented in C) truncate the file name after the null character. However, the optional PHP code checking the file name validity does not truncate the file name. This inconsistency can for example allow the access to a file, even if its extension is invalid.

When a PHP application does not filter null characters in its parameters, and then uses these parameters to access to a file, the name of the file which is really accessed is therefore truncated.

ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN

http://vigilance.fr/vulnerability/P...




See previous articles

    

See next articles