Where can Null Byte Injection affect my PHP web app in a realistic setting?
I've just read the PHP section on http://projects.webappsec.org/Null-Byte-Injection.
开发者_运维技巧The example it provides is pretty dumb - I mean, why would you ever want to include a file based on an outside param without checking it first (for directory traversal attacks, for one)?
So, if following standard PHP security practices, such as
- encoding user entered data on display
- validating user entered stuff that works with files
- preventing CRSF
- not running uploads via something that executes PHP
- etc
Can anyone provide a real life example or a common mistake of PHP developers where this problem can occur?
Thanks
Upate
I'm trying to make something break, and this what I have tried.
// $filename is from public
$filename = "some_file\0_that_is_bad.jpg";
$ext = pathinfo($filename, PATHINFO_EXTENSION);
var_dump($filename, $ext);
Which outputs
string(26) "some_file�_that_is_bad.jpg"
string(3) "jpg"
I believe that part of the fun with Null byte injection is that simple validation may not be good enough to catch them
e.g. the string "password.txt\0blah.jpg" actually ends with ".jpg" as far as the scripting language is concerned .. but when passed to a C based function ( such as many system functions) it gets truncated to "password.txt"
This means that a simple check like this may not be safe. (this is just pseudocode, not PHP)
if ( filename.endswith(".jpg") ) { some_c_function(filename); }
Instead you may have to do
filename = break_at_null(filename);
if ( filename.endswith(".jpg") ) { some_c_function(filename); }
Now it doesn't really matter what that c function is .. the examples in the cited article may have need file reading functions, but it could just as well be database accesses, system calls, etc.
精彩评论