tags:

views:

32

answers:

1
Q: 

Where can Null Byte Injection affect my PHP web app in a realistic setting?

I've just read the PHP section on http://projects.webappsec.org/Null-Byte-Injection.

The example it provides is pretty dumb - I mean, why would you ever want to include a file based on an outside param without checking it first (for directory traversal attacks, for one)?

So, if following standard PHP security practices, such as

  • encoding user entered data on display
  • validating user entered stuff that works with files
  • preventing CRSF
  • not running uploads via something that executes PHP
  • etc

Can anyone provide a real life example or a common mistake of PHP developers where this problem can occur?

Thanks

Upate

I'm trying to make something break, and this what I have tried.

// $filename is from public
$filename = "some_file\0_that_is_bad.jpg";

$ext = pathinfo($filename, PATHINFO_EXTENSION);

var_dump($filename, $ext);

Which outputs

string(26) "some_file�_that_is_bad.jpg"
string(3) "jpg"
+1  A: 

I believe that part of the fun with Null byte injection is that simple validation may not be good enough to catch them

e.g. the string "password.txt\0blah.jpg" actually ends with ".jpg" as far as the scripting language is concerned .. but when passed to a C based function ( such as many system functions) it gets truncated to "password.txt"

This means that a simple check like this may not be safe. (this is just pseudocode, not PHP)

 if ( filename.endswith(".jpg") ) { some_c_function(filename); }

Instead you may have to do

 filename = break_at_null(filename);
 if ( filename.endswith(".jpg") ) { some_c_function(filename); }

Now it doesn't really matter what that c function is .. the examples in the cited article may have need file reading functions, but it could just as well be database accesses, system calls, etc.

Michael Anderson  2010-10-08 02:13:18
What functions are not safe (i.e. just wrapped C functions)? I guess `strlen()`, `strcmp()`, etc, but is there a definite list? Cheers.
alex  2010-10-09 01:12:28
Not that I know of (but I'm new to this area too). Though I suspect it will depend on your PHP version and probably your OS too.
Michael Anderson  2010-10-09 01:34:40
On my version of php (5.2.12 on OS X) some of the functions I thought might fail are fine: printf, sprintf, strlen.
Michael Anderson  2010-10-09 01:45:48

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases