PHP 7.1.0/5.6.29 missing null byte checks for paths in curl_file_create()

2017.01.21
Risk: Low
Local: Yes
Remote: No
CVE: N/A
CWE: N/A

Description: ------------ Missing null byte checks for paths in curlfile_ctor() curl_file_create() doesn’t ensure that pathnames lack NULL byte, which might allow attacker to manipulate the upload file name and path. Affected code: ================================== static void curlfile_ctor(INTERNAL_FUNCTION_PARAMETERS) { char *fname = NULL, *mime = NULL, *postname = NULL; size_t fname_len, mime_len, postname_len; zval *cf = return_value; if (zend_parse_parameters(ZEND_NUM_ARGS(), "s|ss", &fname, &fname_len, &mime, &mime_len, &postname, &postname_len) == FAILURE) { ⇐==== return; } ================================== Affected function: ================================== CURLFile curl_file_create ( string $filename [, string $mimetype [, string $postname ]] ) ================================== type of parameters filename to change. From a security perspective, You may consider changing the type of parameter postname Test script: --------------- <?php $request = curl_init('http://127.0.0.1/print.php'); curl_setopt($request, CURLOPT_POST, true); $args['file'] = curl_file_create("./test.test\0.file.to.send.png", "image/png", "test.test\0.file.to.send.png"); curl_setopt($request, CURLOPT_POSTFIELDS, $args); echo curl_exec($request); curl_close($request); Expected result: ---------------- warning Actual result: -------------- uploaded test.test and name Array ( [file] => Array ( [name] => test.test Credit: Maksymilian from CXSECURITY.COM

References:

https://bugs.php.net/bug.php?id=73922


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top