PHP 5.3.3 - NULLbyte exploit

Support for security such as Firewalls and securing linux
Post Reply
ovidiustanila
Posts: 1
Joined: 2012/05/17 06:51:25

PHP 5.3.3 - NULLbyte exploit

Post by ovidiustanila » 2012/05/17 07:12:37

Hello,

Recently we've run some vulnerability scans on our Joomla environments and we got a file inclusion vulnerability. The file inclusion was possible due to an unhandled NULLbyte in parameter:

/templates/template/css.php?s=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd%00.html

Contacting the developers which supplied us the code for this template we were notified that the issue is found on the PHP core and recommended us to use a newer PHP version:

--------------------------------
You can find in the release notes that this PHP-exploit is fixed in PHP 5.3.4:
http://www.php.net/ChangeLog-5.php
"... Paths with NULL in them (foo\0bar.txt) are now considered as invalid. (Rasmus) ..."
--------------------------------

Will this security fix be backported to CentOS 6 php package ?

I consider this being a serious security hole.

Thanks,
Ovidiu

User avatar
TrevorH
Forum Moderator
Posts: 30160
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

PHP 5.3.3 - NULLbyte exploit

Post by TrevorH » 2012/05/17 08:00:39

https://bugzilla.redhat.com/show_bug.cgi?id=662707

Post Reply

Return to “CentOS 6 - Security Support”