This could be evidence of an attempted Poison NULL Byte Attack. PHP and Perl do not use NULL-terminated strings, but most underlying systems (anything C based) do.
This can lead to a certain class of attack where the attacker constructs a string that the programmer intended to be impossible. For example, if you were using a C library to include local file content into a web page, in your PHP you might do something like;
Code: Select all
grabLocalFile($_GET['file_name'] . ".php");
By manually appending the ".php" it can appear that some security is offered - in that only file names ending with .php can be included. However if an attacker is able to send a request such as;
Code: Select all
example.com/index.php?file_name=/etc/passwd\0
The null byte \0 will be treated as part of the string by php, which ends up calling;
Code: Select all
grabLocalFile("/etc/passwd\0.php");
When this string reaches the underlying system, the NULL byte will be treated as a string terminator, and the .php will be ignored. Now the attacker has included /etc/passwd into the web page he is viewing, despite the developer's attempt to enforce inclusion only of files ending in ".php"
To mitigate these kinds of attacks you can strip out the NULL byte altogether by doing something like this
Regardless, suhosin looks like it is properly configured to defend against this class of attack.