NULL Byte Poison Information Disclosure Vulnerability

[gtaid1]

Guys I really need help.

 

I have no knowledge of PHP. I'm managing an IIS server that is going under PCI audit and this is one of the findings. Website is using PHP Manager 5.3 and WordPress.

 

I researched the issue and this link says add a code to fix: http://www.codercaste.com/2009/10/03/the-null-byte-poisoning-attack-explained/

 

 

Code below

$file = str_replace(chr(0), '', $string);

I copied and paste this to any .PHP file that I could think of but honestly not sure if I copied to right file or right place inside the file. Can someone please help?

Where to put this code?

 

Also I saw another web page that was saying to add the same code but instead of $file was $input. so which one is correct ?

 

Thank you all in advance.

[requinix]

 

1. What is reporting the vulnerability?

2. Where is it referencing?

3. What is that code?

[Jacques1]

I have no knowledge of PHP.

 

And now you're copypasting code from the Internet which you don't understand into scripts you don't understand to solve problems you don't understand. I'm sure the auditors will love that.

 

Also, nullbyte vulnerabilities? As far as I remember, the last PHP version which had something like this was 5.2. Is that what you're running?

 

Right now, I'd be a lot more worried about the overall state of your organization.

[Gandalf64]

I could be wrong, for I only did a quick search on the internet but it looks like PHP Manager is obsolete or not being supported? (Someone correct me if I'm wrong) To me from your standpoint I think your problem is more of an update issue than a coding issue (again I could be wrong). All I know is if I had your job I would be looking into updating the applications on the server than trying to correct the issue rather than splicing in a code fix, for I think it doing it that way would solve your problem(s) and satisfy the auditor(s). This is especially truly if you are just an IT administrator with no programming skills? 

[gizmola]

In a nutshell, this only has the potential to be dangerous is you have stupid code that opens files based on variables coming from application user input. If you do have those applications, then a null byte exploit is only the tip of the iceberg.

 

If you are going around pasting "$file = str_replace(chr(0), '', $string);" into all the php files, you misunderstand the proposed "fix" and are most likely wasting your time entirely. This is not something that can be fixed without a review and understanding of the php code involved.

 

It is very possible that despite that potential flaw, there is absolutely no code in your php application that could be exploited by this issue.

 

It is likely that the analysis is simply checking the version of PHP and a database says that the version you are using has this potential flaw in it.

 

It also appears that PHP Manager stopped being developed in 2011. Your plan should be to get a fresh modern PHP installation without using PHP Manager.

 

You might also want to communicate to management that this audit and report opened up a huge can of worms that could require a lot of reinstallation/configuration etc.

[Sepodati]

TIL: I'm putting $file = str_replace(chr(0), '', $string); in all of my PHP files from now on to make me unhackable.