php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #44366 Regex bypass using POISON NULL BYTE
Submitted: 2008-03-08 03:12 UTC Modified: 2008-03-08 11:47 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: charlesfol at hotmail dot fr Assigned:
Status: Not a bug Package: *Regular Expressions
PHP Version: 5.2.5 OS: nux/win
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: charlesfol at hotmail dot fr
New email:
PHP Version: OS:

 

 [2008-03-08 03:12 UTC] charlesfol at hotmail dot fr
Description:
------------
I discovered that in this PHP version, regex could be bypassed using \0 (%00) a.k.a. POISON NULL BYTE.

Reproduce code:
---------------
<?php

$var=$_GET['var'];
$is_alphanum_var = ereg("^[a-zA-Z0-9]+$",$var);
print "$is_alphanum_var\n$var";

?>


Expected result:
----------------
Normally if code contains ad chars such as %,", or _ it will be detected by the regex.

Actual result:
--------------
But if we use this URL:
http://site.com/page.php?var=test%00_-

$is_alphanum_var RETURNS 1, BUT $var CONTAINS _-

Security HOLE.

Warmly, Charles "real" FOL.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-03-08 11:02 UTC] charlesfol at hotmail dot fr
OK, in fact I found that this was a known problem.
I apologize about your wasted time =)
 [2008-03-08 11:47 UTC] johannes@php.net
As the reporter said ;-)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Nov 08 23:01:29 2024 UTC