820101 – CVE-2006-7243 in PHP 5.1.6

Bug 820101 - CVE-2006-7243 in PHP 5.1.6

Summary: CVE-2006-7243 in PHP 5.1.6

Keywords:
Status:	CLOSED DUPLICATE of bug 662707
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	php
Sub Component:
Version:	5.1.z
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Joe Orton
QA Contact:	BaseOS QE - Apps
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-05-09 07:29 UTC by Svyatoslav Lempert
Modified:	2012-05-09 09:29 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-05-09 09:27:50 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Svyatoslav Lempert 2012-05-09 07:29:07 UTC

Description of problem:

file_exists() silently truncates anything after a null byte in a string.  This produces unexpected results in some circumstances and possibly would result in security problems for limited amounts of poorly written code.

include_once() for instance, provides the following:
"ALERT - Include filename truncated by a \0 after '/etc/passwd' (attacker 'REMOTE_ADDR not set', file '/home/djc/test.php', line 13)"

This seems like a sane way to handle it if truncating has to be done... though frankly since truncation will *always* produce the wrong result it might be nice to throw an error and stop processing.

Check https://bugs.php.net/bug.php?id=39863

Run script

https://bugs.php.net/patch-display.php?bug_id=39863&patch=bug39863.phpt&revision=latest

MUST be show PASS, but script return FAIL.

Comment 1 Jan Lieskovsky 2012-05-09 09:27:50 UTC


*** This bug has been marked as a duplicate of bug 662707 ***

Comment 2 Jan Lieskovsky 2012-05-09 09:29:22 UTC

See also statement at:
https://access.redhat.com/security/cve/CVE-2006-7243

Note You need to log in before you can comment on or make changes to this bug.