From 7bbe051df15b991a040987f27c0fafd25d843216 Mon Sep 17 00:00:00 2001
From: Ian Gulliver <ian@flamingcow.tv>
Date: Sun, 21 Apr 2019 17:15:52 +0000
Subject: [PATCH] PHP/PERL/Ruby exploit

---
 2006-02-09-php-perl-ruby-exploit.html        | 59 ++++++++++++++++++++
 index.html                                   |  1 +
 markdown/2006-02-09-php-perl-ruby-exploit.md | 51 +++++++++++++++++
 markdown/index.md                            |  1 +
 4 files changed, 112 insertions(+)
 create mode 100644 2006-02-09-php-perl-ruby-exploit.html
 create mode 100644 markdown/2006-02-09-php-perl-ruby-exploit.md

diff --git a/2006-02-09-php-perl-ruby-exploit.html b/2006-02-09-php-perl-ruby-exploit.html
new file mode 100644
index 0000000..895e496
--- /dev/null
+++ b/2006-02-09-php-perl-ruby-exploit.html
@@ -0,0 +1,59 @@
+<!--# set var="title" value="PHP/PERL/Ruby exploit" -->
+<!--# set var="date" value="February 9, 2006" -->
+
+<!--# include file="include/top.html" -->
+
+<p>Take the <strong>PHP</strong> code:</p>
+
+<pre><code>&lt;?php
+$filename = ‘content/’.$_REQUEST[’filename’].’.html’;
+include($filename);
+?&gt;
+</code></pre>
+
+<p>This is exploitable in an obvious way; “../” can be included in the filename, and it can be used to open any file ending in “.html” that’s readable by the web user. However, there’s a second, less obvious exploit path.</p>
+
+<p>If magic_quotes_gpc is off, the following is possible:</p>
+
+<pre><code>test.php?filename=../../../../../../etc/passwd%00
+</code></pre>
+
+<p>PHP stores strings internally as binary-safe, but the include() requires a syscall, which expects a nil-terminated string. The result is that the syscall considers the string over at the \0, and opens /etc/passwd. PHP should really check to see if the binary-safe string contains nils before the syscall, and fail with an error if it does.</p>
+
+<hr />
+
+<p>In <strong>PERL</strong>:</p>
+
+<pre><code>open IN,”foo\0bar”;
+</code></pre>
+
+<p>causes the syscall:</p>
+
+<pre><code>open(”foo”, O_RDONLY|O_LARGEFILE)
+</code></pre>
+
+<hr />
+
+<p>In <strong>Ruby</strong>:</p>
+
+<pre><code>File.open(”foo\0bar”,’r');
+</code></pre>
+
+<p>causes the syscall:</p>
+
+<pre><code>open(”foo”, O_RDONLY|O_LARGEFILE)
+</code></pre>
+
+<hr />
+
+<p><strong>Python</strong> appears to be safe:</p>
+
+<pre><code>open(”foo\0bar”,”r”);
+</code></pre>
+
+<p>throws an error:</p>
+
+<pre><code>TypeError: file() argument 1 must be (encoded string without NULL bytes), not str
+</code></pre>
+
+<!--# include file="include/bottom.html" -->
diff --git a/index.html b/index.html
index 13d730a..f4a0e7c 100644
--- a/index.html
+++ b/index.html
@@ -40,6 +40,7 @@
 <li>2009-Sep-11: <a href="2009-09-11-confusing-bind-with-cnames.html">Confusing BIND with CNAMEs</a></li>
 <li>2009-Feb-19: <a href="2019-02-19-the-odd-case-of-my-mugging.html">The odd case of my mugging</a></li>
 <li>2009-Feb-03: <a href="2009-02-03-5-packet-tcp-connection.html">5-packet TCP connection?</a></li>
+<li>2006-Feb-09: <a href="2006-02-09-php-perl-ruby-exploit.html">PHP/PERL/Ruby exploit</a></li>
 <li>2006-Feb-07: <a href="2006-02-07-why-is-my-ssh-x-window-forwarding-broken.html">Why is my SSH X Window forwarding broken?</a></li>
 <li>2006-Feb-06: <a href="2006-02-06-installing-debian-from-a-usb-stick.html">Installing Debian from a USB stick</a></li>
 <li>2006-Feb-02: <a href="2006-02-02-rebooting-linux-when-it-doesnt-feel-like-it.html">Rebooting Linux when it doesn’t feel like it</a></li>
diff --git a/markdown/2006-02-09-php-perl-ruby-exploit.md b/markdown/2006-02-09-php-perl-ruby-exploit.md
new file mode 100644
index 0000000..d7e74f0
--- /dev/null
+++ b/markdown/2006-02-09-php-perl-ruby-exploit.md
@@ -0,0 +1,51 @@
+<!--# set var="title" value="PHP/PERL/Ruby exploit" -->
+<!--# set var="date" value="February 9, 2006" -->
+
+<!--# include file="include/top.html" -->
+
+Take the __PHP__ code:
+
+	<?php
+	$filename = ‘content/’.$_REQUEST[’filename’].’.html’;
+	include($filename);
+	?>
+
+This is exploitable in an obvious way; “../” can be included in the filename, and it can be used to open any file ending in “.html” that’s readable by the web user. However, there’s a second, less obvious exploit path.
+
+If magic\_quotes\_gpc is off, the following is possible:
+
+	test.php?filename=../../../../../../etc/passwd%00
+
+PHP stores strings internally as binary-safe, but the include() requires a syscall, which expects a nil-terminated string. The result is that the syscall considers the string over at the \0, and opens /etc/passwd. PHP should really check to see if the binary-safe string contains nils before the syscall, and fail with an error if it does.
+
+---
+
+In __PERL__:
+
+	open IN,”foo\0bar”;
+
+causes the syscall:
+
+	open(”foo”, O_RDONLY|O_LARGEFILE)
+
+---
+
+In __Ruby__:
+
+	File.open(”foo\0bar”,’r');
+
+causes the syscall:
+
+	open(”foo”, O_RDONLY|O_LARGEFILE)
+
+---
+
+__Python__ appears to be safe:
+
+	open(”foo\0bar”,”r”);
+
+throws an error:
+
+	TypeError: file() argument 1 must be (encoded string without NULL bytes), not str
+
+<!--# include file="include/bottom.html" -->
diff --git a/markdown/index.md b/markdown/index.md
index c491280..9a1cd25 100644
--- a/markdown/index.md
+++ b/markdown/index.md
@@ -39,6 +39,7 @@
 1. 2009-Sep-11: [Confusing BIND with CNAMEs](2009-09-11-confusing-bind-with-cnames.html)
 1. 2009-Feb-19: [The odd case of my mugging](2019-02-19-the-odd-case-of-my-mugging.html)
 1. 2009-Feb-03: [5-packet TCP connection?](2009-02-03-5-packet-tcp-connection.html)
+1. 2006-Feb-09: [PHP/PERL/Ruby exploit](2006-02-09-php-perl-ruby-exploit.html)
 1. 2006-Feb-07: [Why is my SSH X Window forwarding broken?](2006-02-07-why-is-my-ssh-x-window-forwarding-broken.html)
 1. 2006-Feb-06: [Installing Debian from a USB stick](2006-02-06-installing-debian-from-a-usb-stick.html)
 1. 2006-Feb-02: [Rebooting Linux when it doesn’t feel like it](2006-02-02-rebooting-linux-when-it-doesnt-feel-like-it.html)