PHP 7.1.0/5.6.29 missing null byte checks for paths in exif_imagetype

2017.01.21
Credit: Maksymilian Arciemowicz
Risk: Low
Local: Yes
Remote: No
CVE: N/A
CWE: N/A

Description: ------------ exif_imagetype doesn’t ensure that pathnames lack NULL byte, which might allow attacker to manipulate the file path. =============================================== Affected code: PHP_FUNCTION(exif_imagetype) { char *imagefile; size_t imagefile_len; php_stream * stream; int itype = 0; if (zend_parse_parameters(ZEND_NUM_ARGS(), "s", &imagefile, &imagefile_len) == FAILURE) { ⇐== THIS LINE return; } =============================================== Test script: --------------- <?php var_dump(exif_imagetype("./image.png\x00.gallery.jpg")); ?> Expected result: ---------------- expected parameter instead of string Actual result: -------------- $ php curl.php int(3) Credit: Maksymilian from CXSECURITY.COM

References:

https://bugs.php.net/bug.php?id=73911
https://bugs.php.net/patch-display.php?bug_id=73911&patch=fix-73911&revision=latest


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top