Resolve :Null character issues in php security issues
- 2020-06-15 07:59:01
- OfStack
Because PHP's file system operations are based on functions of the C language, it can handle Null characters in ways you might not expect. The Null character is used in the C language to identify the end of a string, a complete string from its beginning until the Null character is encountered. The following code demonstrates a similar attack:
Example #1 code that will be attacked by the Null character problem
Therefore, any string used to manipulate the file system must be properly checked. Here is an improved version of the above example:
Example #2 verifies that the input is correct
A function error can expose the database the system is using or provide an attacker with useful information about a web page, program, or design. Attackers often find open database ports and certain bug or vulnerabilities on the page. For example, an attacker could make a program error with some abnormal data to detect the order of authentication in the script (through the line number of the error) and information that might be leaked elsewhere in the script.
One file system or PHP error will reveal what permissions the web server has and how the files are organized on the server. Error code written by the developer can exacerbate the problem, leading to the release of previously hidden information.
There are three common ways to deal with these problems. The first is to thoroughly examine all functions and try to fix most of the errors. The second is to completely shut down the online system error report. The third is to create your own error handling mechanism using PHP's custom error handling function. Depending on the security policy, all three approaches may work.
Example #1 code that will be attacked by the Null character problem
<?php
$file = $_GET['file']; // "../../etc/passwd\0"
if (file_exists('/home/wwwrun/'.$file.'.php')) {
// file_exists will return true as the file /home/wwwrun/../../etc/passwd exists
include '/home/wwwrun/'.$file.'.php';
// the file /etc/passwd will be included
}
?>
Therefore, any string used to manipulate the file system must be properly checked. Here is an improved version of the above example:
Example #2 verifies that the input is correct
<?php
$file = $_GET['file'];
// Whitelist a string
switch ($file) {
case 'main':
case 'foo':
case 'bar':
include '/home/wwwrun/include/'.$file.'.php';
break;
default:
include '/home/wwwrun/include/main.php';
}
?>
A function error can expose the database the system is using or provide an attacker with useful information about a web page, program, or design. Attackers often find open database ports and certain bug or vulnerabilities on the page. For example, an attacker could make a program error with some abnormal data to detect the order of authentication in the script (through the line number of the error) and information that might be leaked elsewhere in the script.
One file system or PHP error will reveal what permissions the web server has and how the files are organized on the server. Error code written by the developer can exacerbate the problem, leading to the release of previously hidden information.
There are three common ways to deal with these problems. The first is to thoroughly examine all functions and try to fix most of the errors. The second is to completely shut down the online system error report. The third is to create your own error handling mechanism using PHP's custom error handling function. Depending on the security policy, all three approaches may work.