开发者

Where can Null Byte Injection affect my PHP web app in a realistic setting?

I've just read the PHP section on http://projects.webappsec.org/Null-Byte-Injection.

开发者_运维技巧

The example it provides is pretty dumb - I mean, why would you ever want to include a file based on an outside param without checking it first (for directory traversal attacks, for one)?

So, if following standard PHP security practices, such as

  • encoding user entered data on display
  • validating user entered stuff that works with files
  • preventing CRSF
  • not running uploads via something that executes PHP
  • etc

Can anyone provide a real life example or a common mistake of PHP developers where this problem can occur?

Thanks

Upate

I'm trying to make something break, and this what I have tried.

// $filename is from public
$filename = "some_file\0_that_is_bad.jpg";

$ext = pathinfo($filename, PATHINFO_EXTENSION);

var_dump($filename, $ext);

Which outputs

string(26) "some_file�_that_is_bad.jpg"
string(3) "jpg"


I believe that part of the fun with Null byte injection is that simple validation may not be good enough to catch them

e.g. the string "password.txt\0blah.jpg" actually ends with ".jpg" as far as the scripting language is concerned .. but when passed to a C based function ( such as many system functions) it gets truncated to "password.txt"

This means that a simple check like this may not be safe. (this is just pseudocode, not PHP)

 if ( filename.endswith(".jpg") ) { some_c_function(filename); }

Instead you may have to do

 filename = break_at_null(filename);
 if ( filename.endswith(".jpg") ) { some_c_function(filename); }

Now it doesn't really matter what that c function is .. the examples in the cited article may have need file reading functions, but it could just as well be database accesses, system calls, etc.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜