|
|
|
|
CWE-626 Individual Dictionary Definition (Draft 9)
Weakness ID
| Status: Draft 626 (Weakness Variant) | | Description | Summary The product does not properly handle null bytes or NUL characters when passing data between different representations or components. Extended Description A null byte (NUL character) can have different meanings across representations or
languages. For example, it is a string terminator in standard C libraries, but Perl and PHP
strings do not treat it as a terminator. When two representations are crossed - such as when Perl
or PHP invokes underlying C functionality - this can produce an interaction error with unexpected
results. Similar issues have been reported for ASP. Other interpreters written in C might also be
affected.
| | Weakness Ordinality | Primary (Weakness exists independent of other weaknesses) | | Potential Mitigations | Remove null bytes from all incoming strings | | Observed Examples | | Reference | Description |
|---|
| CVE-2005-4155 - NUL byte bypasses PHP regular expression check | | CVE-2005-3153 - inserting SQL after a NUL byte bypasses whitelist regexp, enabling
SQL injection |
| | Context Notes | The poison null byte is frequently useful in path traversal attacks by terminating
hard-coded extensions that are added to a filename. It can play a role in regular expression
processing in PHP. There are not many CVE examples, because the poison NULL byte is (1) a design
limitation, which typically is not included in CVE by itself; and (2) it is typically used as a
facilitator manipulation to widen the scope of potential attacks against other vulnerabilities. Current (2007) usage of "poison null byte" is typically related to this C/Perl/PHP
interaction error, but the original term in 1998 was applied to an off-by-one buffer overflow
involving a null byte. | | References | | | Relationships | | | Applicable Platforms | PHP Perl ASP.NET |
|