Edit report at http://bugs.php.net/bug.php?id=39863&edit=1
ID: 39863
Comment by: vanderaj at owasp dot org
Reported by: djcapelis at gmail dot com
Summary: file_exists() silently truncates after a null byte
Status: Open
Type: Feature/Change Request
Package: Feature/Change Request
Operating System: Linux, MacOSX
PHP Version: 4.4.4, 5.1.5
New Comment:
I've tested this on CentOS 5.0 with a hand built 5.2.11 and Apple's
build of PHP
5.3.1 on MacOS X 10.6.3, and both have this issue.
If you don't want to run a phpt, here's some a more readable version of
the
previous test:
<?php
$filename = "/etc/passwd" . chr(0). ".ridiculous";
if (file_exists($filename))
{
echo "FAIL: The file [" . $filename . "] exists, but clearly
shouldn't.\n";
}
else
{
echo "PASS: The file [" . $filename . "] does not exist.\n";
}
?>
I've included a PHP test script. It's my first phpt, so please be
gentle.
Previous Comments:
------------------------------------------------------------------------
[2006-12-20 09:47:27] djcapelis at gmail dot com
Sorry, testing was originally done using the hardened php patch here:
http://www.hardened-php.net/downloads.13.html Without the patch,
include_once() is just as vulnerable and silently readily embeds
/etc/passwd right into the file.
Perhaps it would be a good idea to include that part of the patch into
the main PHP distribution and fix the rest of the functions where this
is a problem.
I just tested and PHP 5.1.5 is also vulnerable to both these issues.
(As was a Mac OSX system.)
------------------------------------------------------------------------
[2006-12-18 08:46:13] djcapelis at gmail dot com
Description:
------------
file_exists() silently truncates anything after a null byte in a string.
This produces unexpected results in some circumstances and possibly
would result in security problems for limited amounts of poorly written
code.
include_once() for instance, provides the following:
"ALERT - Include filename truncated by a \0 after '/etc/passwd'
(attacker 'REMOTE_ADDR not set', file '/home/djc/test.php', line 13)"
This seems like a sane way to handle it if truncating has to be done...
though frankly since truncation will *always* produce the wrong result
it might be nice to throw an error and stop processing.
Reproduce code:
---------------
<?php
$filename = "/etc/passwd^@" . ".someextension";
if (file_exists($filename))
{
echo "The file " . $filename . "exists";
}
else
{
echo "The file " . $filename . "does not exist";
}
?>
Expected result:
----------------
Expected:
$ php -n test.php
The file /etc/passwd.\0someextension does not exist
Actual result:
--------------
Actual:
$ php -n test.php
The file /etc/passwd.someextension exists
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/bug.php?id=39863&edit=1
