Tag Archives: Character

original source : http://www.thisislegal.com/tutorials/11

The NULL Byte 

Do not mix up the NULL byte with 0 (zero)!

The NULL byte is the byte with the hex representation “%00”. 

It also might be written as “\0”. For PHP, the NULL Byte is a NULL character. The problem is PHP is coded in C and the NULL Byte in C is a string terminator. This means that the string stops when there is a NULL Byte!

Also system calls passed to the operation system should be filtered carefully. UNIX is written in C too, and so the string termination character NULL might lead to problems.

The best example is to fool web application into thinking a different file type has been requested. Take a look at the code below:

<?php

$file = $HTTP_GET_VARS[‘file’];

$file = $file .’.txt’;

fopen($file, ‘r’);

?>

The script doesn’t look so bad. It takes the filename that it gets and puts a “.txt” on the end. So the programmer tries to make sure that only text files can be opened. But what about a filename like this: phppage.php%00

It will try to get:

phppage.php%00.txt

So fopen opens phppage.php%00.txt? No! And that is the point. The fopen functions stops after “.php” before the NULL Byte and opens only “phppage.php”. So every type of file can be opened.

Scripts that allow uploads (but only for a certain file type) are also a potential target for this type of attack.

For another usefull example of the NULL byte have a look at /*ereg()*/.

original source : http://www.thisislegal.com/tutorials/11

The NULL Byte 

Do not mix up the NULL byte with 0 (zero)!

The NULL byte is the byte with the hex representation “%00”. 

It also might be written as “”. For PHP, the NULL Byte is a NULL character. The problem is PHP is coded in C and the NULL Byte in C is a string terminator. This means that the string stops when there is a NULL Byte!

Also system calls passed to the operation system should be filtered carefully. UNIX is written in C too, and so the string termination character NULL might lead to problems.

The best example is to fool web application into thinking a different file type has been requested. Take a look at the code below:

<?php

$file = $HTTP_GET_VARS[‘file’];

$file = $file .’.txt’;

fopen($file, ‘r’);

?>

The script doesn’t look so bad. It takes the filename that it gets and puts a “.txt” on the end. So the programmer tries to make sure that only text files can be opened. But what about a filename like this: phppage.php%00

It will try to get:

phppage.php%00.txt

So fopen opens phppage.php%00.txt? No! And that is the point. The fopen functions stops after “.php” before the NULL Byte and opens only “phppage.php”. So every type of file can be opened.

Scripts that allow uploads (but only for a certain file type) are also a potential target for this type of attack.

For another usefull example of the NULL byte have a look at /*ereg()*/.

original source : http://www.thisislegal.com/tutorials/11

The NULL Byte 

Do not mix up the NULL byte with 0 (zero)!

The NULL byte is the byte with the hex representation “%00”. 

It also might be written as “”. For PHP, the NULL Byte is a NULL character. The problem is PHP is coded in C and the NULL Byte in C is a string terminator. This means that the string stops when there is a NULL Byte!

Also system calls passed to the operation system should be filtered carefully. UNIX is written in C too, and so the string termination character NULL might lead to problems.

The best example is to fool web application into thinking a different file type has been requested. Take a look at the code below:

<?php

$file = $HTTP_GET_VARS[‘file’];

$file = $file .’.txt’;

fopen($file, ‘r’);

?>

The script doesn’t look so bad. It takes the filename that it gets and puts a “.txt” on the end. So the programmer tries to make sure that only text files can be opened. But what about a filename like this: phppage.php%00

It will try to get:

phppage.php%00.txt

So fopen opens phppage.php%00.txt? No! And that is the point. The fopen functions stops after “.php” before the NULL Byte and opens only “phppage.php”. So every type of file can be opened.

Scripts that allow uploads (but only for a certain file type) are also a potential target for this type of attack.

For another usefull example of the NULL byte have a look at /*ereg()*/.