PHP 7.1.0/5.6.29 missing null byte checks for paths in exif_imagetype

2017.01.21

Credit: Maksymilian Arciemowicz

Risk: Low

Local: Yes

Remote: No

CVE: N/A

CWE: N/A

Description:
------------
exif_imagetype doesn’t ensure that pathnames lack NULL byte, which might allow attacker to manipulate the file path.

===============================================
Affected code:
PHP_FUNCTION(exif_imagetype)
{
    char *imagefile;
    size_t imagefile_len;
    php_stream * stream;
    int itype = 0;
 
    if (zend_parse_parameters(ZEND_NUM_ARGS(), "s", &imagefile, &imagefile_len) == FAILURE) { ⇐== THIS LINE
        return;
    }
===============================================

Test script:
---------------
<?php
var_dump(exif_imagetype("./image.png\x00.gallery.jpg"));
?>

Expected result:
----------------
expected parameter instead of string

Actual result:
--------------
$ php curl.php 
int(3)

Credit: Maksymilian from CXSECURITY.COM

References:

https://bugs.php.net/bug.php?id=73911

https://bugs.php.net/patch-display.php?bug_id=73911&patch=fix-73911&revision=latest

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

PHP 7.1.0/5.6.29 missing null byte checks for paths in exif_imagetype

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.