ID: 44366
User updated by: charlesfol at hotmail dot fr
Reported By: charlesfol at hotmail dot fr
Status: Open
Bug Type: *Regular Expressions
Operating System: nux/win
PHP Version: 5.2.5
New Comment:
OK, in fact I found that this was a known problem.
I apologize about your wasted time =)
Previous Comments:
------------------------------------------------------------------------
[2008-03-08 03:12:53] charlesfol at hotmail dot fr
Description:
------------
I discovered that in this PHP version, regex could be bypassed using \0
(%00) a.k.a. POISON NULL BYTE.
Reproduce code:
---------------
<?php
$var=$_GET['var'];
$is_alphanum_var = ereg("^[a-zA-Z0-9]+$",$var);
print "$is_alphanum_var\n$var";
?>
Expected result:
----------------
Normally if code contains ad chars such as %,", or _ it will be
detected by the regex.
Actual result:
--------------
But if we use this URL:
http://site.com/page.php?var=test%00_-
$is_alphanum_var RETURNS 1, BUT $var CONTAINS _-
Security HOLE.
Warmly, Charles "real" FOL.
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=44366&edit=1
