php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #44366 Regex bypass using POISON NULL BYTE
Submitted: 2008-03-08 03:12 UTC Modified: 2008-03-08 11:47 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: charlesfol at hotmail dot fr Assigned:
Status: Not a bug Package: *Regular Expressions
PHP Version: 5.2.5 OS: nux/win
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: charlesfol at hotmail dot fr
New email:
PHP Version: OS:

 

 [2008-03-08 03:12 UTC] charlesfol at hotmail dot fr 
Description:
------------
I discovered that in this PHP version, regex could be bypassed using \0 (%00) a.k.a. POISON NULL BYTE.

Reproduce code:
---------------
<?php

$var=$_GET['var'];
$is_alphanum_var = ereg("^[a-zA-Z0-9]+$",$var);
print "$is_alphanum_var\n$var";

?>


Expected result:
----------------
Normally if code contains ad chars such as %,", or _ it will be detected by the regex.

Actual result:
--------------
But if we use this URL:
http://site.com/page.php?var=test%00_-

$is_alphanum_var RETURNS 1, BUT $var CONTAINS _-

Security HOLE.

Warmly, Charles "real" FOL.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-03-08 11:02 UTC] charlesfol at hotmail dot fr 
OK, in fact I found that this was a known problem.
I apologize about your wasted time =)
 [2008-03-08 11:47 UTC] johannes@php.net 
As the reporter said ;-)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 19:01:29 2024 UTC