ID: 38008 Comment by: judas dot iscariote at gmail dot com Reported By: david dot hoskovec at atlas dot cz Status: Open Bug Type: *Directory/Filesystem functions Operating System: Windows PHP Version: 5.1.4 New Comment:
this is a well known security exploit possible with a lot of languages not only PHP. this is called "Null byte attack". BTW..this is not a bug in PHP, but in your scripts. Previous Comments: ------------------------------------------------------------------------ [2006-07-04 20:03:37] david dot hoskovec at atlas dot cz Description: ------------ There is method, what allows to mask filename's ext - security issue in some file-upload scripts. Reproduce code: --------------- <? $filename = "test.php".Chr(0); if(substr($filename , -3)=="php") Die(); // no no, it won't die here ! $fp = FOpen($filename , "w"); FWrite($fp,"<? echo 'bug' ; ?>",4096); FClose($fp); include "test.php"; // THIS WILL PRINT 'bug' !!! (PHP version 5) ?> Expected result: ---------------- FOpen would validate string(attention on null-terminating char) before it uses it and call out a error. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=38008&edit=1
