Bug 820101 - CVE-2006-7243 in PHP 5.1.6
CVE-2006-7243 in PHP 5.1.6
Status: CLOSED DUPLICATE of bug 662707
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: php (Show other bugs)
5.1.z
All Linux
unspecified Severity high
: rc
: ---
Assigned To: Joe Orton
BaseOS QE - Apps
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-05-09 03:29 EDT by Svyatoslav Lempert
Modified: 2012-05-09 05:29 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-05-09 05:27:50 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Svyatoslav Lempert 2012-05-09 03:29:07 EDT
Description of problem:

file_exists() silently truncates anything after a null byte in a string.  This produces unexpected results in some circumstances and possibly would result in security problems for limited amounts of poorly written code.

include_once() for instance, provides the following:
"ALERT - Include filename truncated by a \0 after '/etc/passwd' (attacker 'REMOTE_ADDR not set', file '/home/djc/test.php', line 13)"

This seems like a sane way to handle it if truncating has to be done... though frankly since truncation will *always* produce the wrong result it might be nice to throw an error and stop processing.

Check https://bugs.php.net/bug.php?id=39863

Run script

https://bugs.php.net/patch-display.php?bug_id=39863&patch=bug39863.phpt&revision=latest

MUST be show PASS, but script return FAIL.
Comment 1 Jan Lieskovsky 2012-05-09 05:27:50 EDT

*** This bug has been marked as a duplicate of bug 662707 ***
Comment 2 Jan Lieskovsky 2012-05-09 05:29:22 EDT
See also statement at:
https://access.redhat.com/security/cve/CVE-2006-7243

Note You need to log in before you can comment on or make changes to this bug.