diff --git a/2006-02-09-php-perl-ruby-exploit.html b/2006-02-09-php-perl-ruby-exploit.html
new file mode 100644
index 0000000..895e496
--- /dev/null
+++ b/2006-02-09-php-perl-ruby-exploit.html
@@ -0,0 +1,59 @@
+
+
+
+
+
+Take the PHP code:
+
+<?php
+$filename = ‘content/’.$_REQUEST[’filename’].’.html’;
+include($filename);
+?>
+
+
+This is exploitable in an obvious way; “../” can be included in the filename, and it can be used to open any file ending in “.html” that’s readable by the web user. However, there’s a second, less obvious exploit path.
+
+If magic_quotes_gpc is off, the following is possible:
+
+test.php?filename=../../../../../../etc/passwd%00
+
+
+PHP stores strings internally as binary-safe, but the include() requires a syscall, which expects a nil-terminated string. The result is that the syscall considers the string over at the \0, and opens /etc/passwd. PHP should really check to see if the binary-safe string contains nils before the syscall, and fail with an error if it does.
+
+
+
+In PERL:
+
+open IN,”foo\0bar”;
+
+
+causes the syscall:
+
+open(”foo”, O_RDONLY|O_LARGEFILE)
+
+
+
+
+In Ruby:
+
+File.open(”foo\0bar”,’r');
+
+
+causes the syscall:
+
+open(”foo”, O_RDONLY|O_LARGEFILE)
+
+
+
+
+Python appears to be safe:
+
+open(”foo\0bar”,”r”);
+
+
+throws an error:
+
+TypeError: file() argument 1 must be (encoded string without NULL bytes), not str
+
+
+
diff --git a/index.html b/index.html
index 13d730a..f4a0e7c 100644
--- a/index.html
+++ b/index.html
@@ -40,6 +40,7 @@
2009-Sep-11: Confusing BIND with CNAMEs
2009-Feb-19: The odd case of my mugging
2009-Feb-03: 5-packet TCP connection?
+2006-Feb-09: PHP/PERL/Ruby exploit
2006-Feb-07: Why is my SSH X Window forwarding broken?
2006-Feb-06: Installing Debian from a USB stick
2006-Feb-02: Rebooting Linux when it doesn’t feel like it
diff --git a/markdown/2006-02-09-php-perl-ruby-exploit.md b/markdown/2006-02-09-php-perl-ruby-exploit.md
new file mode 100644
index 0000000..d7e74f0
--- /dev/null
+++ b/markdown/2006-02-09-php-perl-ruby-exploit.md
@@ -0,0 +1,51 @@
+
+
+
+
+
+Take the __PHP__ code:
+
+
+
+This is exploitable in an obvious way; “../” can be included in the filename, and it can be used to open any file ending in “.html” that’s readable by the web user. However, there’s a second, less obvious exploit path.
+
+If magic\_quotes\_gpc is off, the following is possible:
+
+ test.php?filename=../../../../../../etc/passwd%00
+
+PHP stores strings internally as binary-safe, but the include() requires a syscall, which expects a nil-terminated string. The result is that the syscall considers the string over at the \0, and opens /etc/passwd. PHP should really check to see if the binary-safe string contains nils before the syscall, and fail with an error if it does.
+
+---
+
+In __PERL__:
+
+ open IN,”foo\0bar”;
+
+causes the syscall:
+
+ open(”foo”, O_RDONLY|O_LARGEFILE)
+
+---
+
+In __Ruby__:
+
+ File.open(”foo\0bar”,’r');
+
+causes the syscall:
+
+ open(”foo”, O_RDONLY|O_LARGEFILE)
+
+---
+
+__Python__ appears to be safe:
+
+ open(”foo\0bar”,”r”);
+
+throws an error:
+
+ TypeError: file() argument 1 must be (encoded string without NULL bytes), not str
+
+
diff --git a/markdown/index.md b/markdown/index.md
index c491280..9a1cd25 100644
--- a/markdown/index.md
+++ b/markdown/index.md
@@ -39,6 +39,7 @@
1. 2009-Sep-11: [Confusing BIND with CNAMEs](2009-09-11-confusing-bind-with-cnames.html)
1. 2009-Feb-19: [The odd case of my mugging](2019-02-19-the-odd-case-of-my-mugging.html)
1. 2009-Feb-03: [5-packet TCP connection?](2009-02-03-5-packet-tcp-connection.html)
+1. 2006-Feb-09: [PHP/PERL/Ruby exploit](2006-02-09-php-perl-ruby-exploit.html)
1. 2006-Feb-07: [Why is my SSH X Window forwarding broken?](2006-02-07-why-is-my-ssh-x-window-forwarding-broken.html)
1. 2006-Feb-06: [Installing Debian from a USB stick](2006-02-06-installing-debian-from-a-usb-stick.html)
1. 2006-Feb-02: [Rebooting Linux when it doesn’t feel like it](2006-02-02-rebooting-linux-when-it-doesnt-feel-like-it.html)