php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #55107 Null bytes in URL cause insecure behavior (code execution / code disclosure)
Submitted: 2011-07-01 14:20 UTC Modified: 2011-07-19 14:17 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:0 (0.0%)
From: nbpoole@php.net Assigned: moriyoshi (profile)
Status: Closed Package: Built-in web server
PHP Version: 5.4SVN-2011-07-01 (snap) OS: OS X 10.6.7
Private report: No CVE-ID: None
 [2011-07-01 14:20 UTC] nbpoole@php.net
Description:
------------
By using a null byte to append an extra file extension to requests made to the 
built-in webserver, it's possible to cause files accessible to the server to be 
executed as PHP (or not, as the case may be).

This behavior is similar to behavior exhibited by older versions of nginx (see 
https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/783508).

Test script:
---------------
- Create a directory

- Add a file named example.php to the directory with the following contents:
<?php phpinfo();

- Add a file named other.txt to the directory with the following contents :
<?php phpinfo();

- Launch the server from that directory using php -S localhost:8000

- Browse to http://localhost:8000/example.php

- Browse to http://localhost:8000/example.php%00.txt

- Browse to http://localhost:8000/other.txt

- Browse to http://localhost:8000/other.txt%00.php

Expected result:
----------------
- Browse to http://localhost:8000/example.php: output of phpinfo()

- Browse to http://localhost:8000/example.php%00.txt: 400 Bad Request

- Browse to http://localhost:8000/other.txt: text file

- Browse to http://localhost:8000/other.txt%00.php: 400 Bad Request

Actual result:
--------------
- Browse to http://localhost:8000/example.php: output of phpinfo()

- Browse to http://localhost:8000/example.php%00.txt: Text file containing 
contents of example.php

- Browse to http://localhost:8000/other.txt: text file

- Browse to http://localhost:8000/other.txt%00.php: output of phpinfo()

Patches

5.4-fix (last revision 2011-07-19 17:29 UTC by fa@php.net)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-07-01 14:22 UTC] nbpoole@php.net
The fix I would suggest is disallowing null bytes (%00) in the path portion of the 
URL. If they're detected, the server should return 400 Bad Request.
 [2011-07-01 14:50 UTC] johannes@php.net
No need to hide this - not in a released version. Feature not meant for productive use. Should be fixed before 5.4.0 alpha 2, though.
 [2011-07-03 09:26 UTC] felipe@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: moriyoshi
 [2011-07-19 13:29 UTC] fa@php.net
-Status: Assigned +Status: Verified
 [2011-07-19 13:29 UTC] fa@php.net
The following patch has been added/updated:

Patch Name: 5.4-fix
Revision:   1311096576
URL:        https://bugs.php.net/patch-display.php?bug=55107&patch=5.4-fix&revision=1311096576
 [2011-07-19 14:17 UTC] moriyoshi@php.net
Automatic comment from SVN on behalf of moriyoshi
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=313444
Log: - Fixed bug #55107 (Null bytes in URL cause insecure behavior (code execution / code disclosure)).
 [2011-07-19 14:17 UTC] moriyoshi@php.net
-Status: Verified +Status: Closed
 [2011-07-19 14:17 UTC] moriyoshi@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2012-04-18 09:49 UTC] laruence@php.net
Automatic comment on behalf of moriyoshi
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9f98a430fd2b7e18635cb2a3a3bab157eee06a41
Log: - Fixed bug #55107 (Null bytes in URL cause insecure behavior (code execution / code disclosure)).
 [2012-07-24 23:40 UTC] rasmus@php.net
Automatic comment on behalf of moriyoshi
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9f98a430fd2b7e18635cb2a3a3bab157eee06a41
Log: - Fixed bug #55107 (Null bytes in URL cause insecure behavior (code execution / code disclosure)).
 [2013-11-17 09:37 UTC] laruence@php.net
Automatic comment on behalf of moriyoshi
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9f98a430fd2b7e18635cb2a3a3bab157eee06a41
Log: - Fixed bug #55107 (Null bytes in URL cause insecure behavior (code execution / code disclosure)).
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Fri Dec 04 18:01:23 2020 UTC