PHP 7.1.0/5.6.29 missing null byte checks for paths in exif_imagetype
Posted on 30 November -0001
<HTML><HEAD><TITLE>PHP 7.1.0/5.6.29 missing null byte checks for paths in exif_imagetype</TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY>Description: ------------ exif_imagetype doesn't ensure that pathnames lack NULL byte, which might allow attacker to manipulate the file path. =============================================== Affected code: PHP_FUNCTION(exif_imagetype) { char *imagefile; size_t imagefile_len; php_stream * stream; int itype = 0; if (zend_parse_parameters(ZEND_NUM_ARGS(), "s", &imagefile, &imagefile_len) == FAILURE) { ⇐== THIS LINE return; } =============================================== Test script: --------------- <?php var_dump(exif_imagetype("./image.pngx00.gallery.jpg")); ?> Expected result: ---------------- expected parameter instead of string Actual result: -------------- $ php curl.php int(3) Credit: Maksymilian from CXSECURITY.COM </BODY></HTML>
