:[ Welcome ]:
The NULL Byte
Do not mix up the NULL byte with 0 (zero)!
The NULL byte is the byte with the hex representation "%00".
It also might be written as "\\0". For PHP, the NULL Byte is a NULL character. The problem is PHP is coded in C and the NULL Byte in C is a string terminator. This means that the string stops when there is a NULL Byte!
Also system calls passed to the operation system should be filtered carefully. UNIX is written in C too, and so the string termination character NULL might lead to problems.
The best example is to fool web application into thinking a different file type has been requested. Take a look at the code below:
<?php
$file = $HTTP_GET_VARS['file'];
$file = $file .'.txt';
fopen($file, 'r');
?>
$file = $HTTP_GET_VARS['file'];
$file = $file .'.txt';
fopen($file, 'r');
?>
The script doesn't look so bad. It takes the filename that it gets and puts a ".txt" on the end. So the programmer tries to make sure that only text files can be opened. But what about a filename like this:
phppage.php%00
It will try to get:
phppage.php%00.txt
So fopen opens phppage.php%00.txt? No! And that is the point. The fopen functions stops after ".php" before the NULL Byte and opens only "phppage.php". So every type of file can be opened.
Scripts that allow uploads (but only for a certain file type) are also a potential target for this type of attack.
For another usefull example of the NULL byte have a look at /*ereg()*/.
Was this tutorial helpful? please rate:
You Must Login To Vote
Previous Tutorial | Next Tutorial
Tutorial By Raduce
Submit Comment:
Who's online: flipp
