ID: 39863 User updated by: djcapelis at gmail dot com Reported By: djcapelis at gmail dot com Status: Open Bug Type: Feature/Change Request -Operating System: Linux, x86 +Operating System: Linux, MacOSX -PHP Version: 4.4.4 +PHP Version: 4.4.4, 5.1.5 New Comment:
Sorry, testing was originally done using the hardened php patch here: http://www.hardened-php.net/downloads.13.html Without the patch, include_once() is just as vulnerable and silently readily embeds /etc/passwd right into the file. Perhaps it would be a good idea to include that part of the patch into the main PHP distribution and fix the rest of the functions where this is a problem. I just tested and PHP 5.1.5 is also vulnerable to both these issues. (As was a Mac OSX system.) Previous Comments: ------------------------------------------------------------------------ [2006-12-18 08:46:13] djcapelis at gmail dot com Description: ------------ file_exists() silently truncates anything after a null byte in a string. This produces unexpected results in some circumstances and possibly would result in security problems for limited amounts of poorly written code. include_once() for instance, provides the following: "ALERT - Include filename truncated by a \0 after '/etc/passwd' (attacker 'REMOTE_ADDR not set', file '/home/djc/test.php', line 13)" This seems like a sane way to handle it if truncating has to be done... though frankly since truncation will *always* produce the wrong result it might be nice to throw an error and stop processing. Reproduce code: --------------- <?php $filename = "/etc/passwd^@" . ".someextension"; if (file_exists($filename)) { echo "The file " . $filename . "exists"; } else { echo "The file " . $filename . "does not exist"; } ?> Expected result: ---------------- Expected: $ php -n test.php The file /etc/passwd.\0someextension does not exist Actual result: -------------- Actual: $ php -n test.php The file /etc/passwd.someextension exists ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=39863&edit=1
