The Null Byte
Do not mix up the NULL byte with 0 (zero)!
The NULL byte is the byte with the hex representation "%00". It also might be written as "\\0".
For PHP, the NULL Byte is a NULL character. The problem is PHP is written in C and the NULL Byte in C is a string terminator. This means that the string stops when there is a NULL Byte!
Also system calls passed to the operation system should be filtered carefully. UNIX is written in C too, and so the string termination character NULL might lead to problems.
The best example is to fool web application into thinking a different file type has been requested. Take a look at the code below:
$file = $HTTP_GET_VARS["file"];
$file = $file .".txt";
The script doesn't look so bad. It takes the filename that it gets and puts a ".txt" on the end. So the developer tries to ensure that only text files can be opened. But what about a filename like this:
It will try to get:
So fopen opens phppage.php%00.txt? No! And that is the point. The fopen functions stops after ".php" before the NULL Byte and opens only "phppage.php". So any type of file can be opened.
Scripts that allow uploads (but only for a certain file type) are also a potential target for this type of attack. For another useful example of the NULL byte have a look at /*ereg()*/.
Note: this vulnerability has been fixed in later versions of PHP (5.3.4 onwards.)
Tutorial by Raduce