PHP 5.3.3 - NULLbyte exploit

Support for security such as Firewalls and securing linux
Post Reply
Posts: 1
Joined: 2012/05/17 06:51:25

PHP 5.3.3 - NULLbyte exploit

Post by ovidiustanila » 2012/05/17 07:12:37


Recently we've run some vulnerability scans on our Joomla environments and we got a file inclusion vulnerability. The file inclusion was possible due to an unhandled NULLbyte in parameter:


Contacting the developers which supplied us the code for this template we were notified that the issue is found on the PHP core and recommended us to use a newer PHP version:

You can find in the release notes that this PHP-exploit is fixed in PHP 5.3.4:
"... Paths with NULL in them (foo\0bar.txt) are now considered as invalid. (Rasmus) ..."

Will this security fix be backported to CentOS 6 php package ?

I consider this being a serious security hole.


User avatar
Forum Moderator
Posts: 30160
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

PHP 5.3.3 - NULLbyte exploit

Post by TrevorH » 2012/05/17 08:00:39

Post Reply

Return to “CentOS 6 - Security Support”