ALERT - ASCII-NUL chars not allowed within request variables

Post Reply
mister_v
Posts: 137
Joined: Sat Jun 20, 2009 5:42 pm

ALERT - ASCII-NUL chars not allowed within request variables

Post by mister_v »

Hello,

I have the following message in my logs:

Code: Select all

suhosin[9413]: ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'name' (attacker 'x.x.x.x', file '/path/to/index.php')
And I wonder what it means
Chris
Site Admin
Posts: 127
Joined: Mon Jul 21, 2008 9:45 am
Location: Leuven, Belgium
Contact:

Re: ALERT - ASCII-NUL chars not allowed within request varia

Post by Chris »

This could be evidence of an attempted Poison NULL Byte Attack. PHP and Perl do not use NULL-terminated strings, but most underlying systems (anything C based) do.

This can lead to a certain class of attack where the attacker constructs a string that the programmer intended to be impossible. For example, if you were using a C library to include local file content into a web page, in your PHP you might do something like;

Code: Select all

grabLocalFile($_GET['file_name'] . ".php");
By manually appending the ".php" it can appear that some security is offered - in that only file names ending with .php can be included. However if an attacker is able to send a request such as;

Code: Select all

example.com/index.php?file_name=/etc/passwd\0
The null byte \0 will be treated as part of the string by php, which ends up calling;

Code: Select all

grabLocalFile("/etc/passwd\0.php");
When this string reaches the underlying system, the NULL byte will be treated as a string terminator, and the .php will be ignored. Now the attacker has included /etc/passwd into the web page he is viewing, despite the developer's attempt to enforce inclusion only of files ending in ".php"

To mitigate these kinds of attacks you can strip out the NULL byte altogether by doing something like this

Code: Select all

str_replace(chr(0), '', $string);
Regardless, suhosin looks like it is properly configured to defend against this class of attack.
Post Reply