Detalle CWE-158

CWE-158

Improper Neutralization of Null Byte or NUL Character
Incomplete
2006-07-19
00h00 +00:00
2025-12-11
00h00 +00:00
CWE Mitre.org
Notificaciones para un CWE
Manténgase informado sobre cualquier cambio en un CWE específico.
Gestionar notificaciones

Nombre: Improper Neutralization of Null Byte or NUL Character

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes NUL characters or null bytes when they are sent to a downstream component.

Descripción CWE

As data is parsed, an injected NUL character or null byte may cause the product to believe the input is terminated earlier than it actually is, or otherwise cause the input to be misinterpreted. This could then be used to inject potentially dangerous input that occurs after the null byte or otherwise bypass validation routines and other protection mechanisms.

Informaciones generales

Modos de introducción

Implementation

Plataformas aplicables

Lenguaje

Class: Not Language-Specific (Undetermined)
Name: C (Undetermined)
Name: C++ (Undetermined)

Tecnologías

Class: Not Technology-Specific (Undetermined)

Consecuencias comunes

Alcance Impacto Probabilidad
IntegrityUnexpected State

Ejemplos observados

Referencias Descripción

CVE-2008-1284

NUL byte in theme name causes directory traversal impact to be worse

CVE-2005-2008

Source code disclosure using trailing null.

CVE-2005-3293

Source code disclosure using trailing null.

CVE-2005-2061

Trailing null allows file include.

CVE-2002-1774

Null character in MIME header allows detection bypass.

CVE-2000-0149

Web server allows remote attackers to view the source code for CGI programs via a null character (%00) at the end of a URL.

CVE-2000-0671

Web server earlier allows allows remote attackers to bypass access restrictions, list directory contents, and read source code by inserting a null character (%00) in the URL.

CVE-2001-0738

Logging system allows an attacker to cause a denial of service (hang) by causing null bytes to be placed in log messages.

CVE-2001-1140

Web server allows source code for executable programs to be read via a null character (%00) at the end of a request.

CVE-2002-1031

Protection mechanism for limiting file access can be bypassed using a null character (%00) at the end of the directory name.

CVE-2002-1025

Application server allows remote attackers to read JSP source code via an encoded null byte in an HTTP GET request, which causes the server to send the .JSP file unparsed.

CVE-2003-0768

XSS protection mechanism only checks for sequences with an alphabetical character following a (<), so a non-alphabetical or null character (%00) following a < may be processed.

CVE-2004-0189

Decoding function in proxy allows regular expression bypass in ACLs via URLs with null characters.

CVE-2005-3153

Null byte bypasses PHP regexp check (interaction error).

CVE-2005-4155

Null byte bypasses PHP regexp check (interaction error).

Mitigaciones potenciales

Developers should anticipate that null characters or null bytes will be injected/removed/manipulated in the input vectors of their product. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system.
Phases : Implementation
Phases : Implementation
Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

Notas de mapeo de vulnerabilidades

Justificación : This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Comentario : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Patrones de ataque relacionados

CAPEC-ID Nombre del patrón de ataque
CAPEC-52 Embedding NULL Bytes
An adversary embeds one or more null bytes in input to the target software. This attack relies on the usage of a null-valued byte as a string terminator in many environments. The goal is for certain components of the target software to stop processing the input when it encounters the null byte(s).
CAPEC-53 Postfix, Null Terminate, and Backslash
If a string is passed through a filter of some kind, then a terminal NULL may not be valid. Using alternate representation of NULL allows an adversary to embed the NULL mid-string while postfixing the proper data so that the filter is avoided. One example is a filter that looks for a trailing slash character. If a string insertion is possible, but the slash must exist, an alternate encoding of NULL in mid-string may be used.

Notas

This can be a factor in multiple interpretation errors, other interaction errors, filename equivalence, etc.

Referencias

REF-62

The Art of Software Security Assessment
Mark Dowd, John McDonald, Justin Schuh.

REF-516

ShAnKaR: multiple PHP application poison NULL byte vulnerability
ShAnKaR.
https://seclists.org/fulldisclosure/2006/Sep/185

REF-1494

Null Byte Attacks Explained
Cyber T.
https://medium.com/meetcyber/null-byte-attacks-explained-f032f125b919

REF-1495

What Is Null Byte Injection? How It Works & Examples
Twingate.
https://www.twingate.com/blog/glossary/null%20byte%20injection

Envío

Nombre Organización Fecha Fecha de lanzamiento Version
PLOVER 2006-07-19 +00:00 2006-07-19 +00:00 Draft 3

Modificaciones

Nombre Organización Fecha Comentario
Eric Dalci Cigital 2008-07-01 +00:00 updated Potential_Mitigations
CWE Content Team MITRE 2008-09-08 +00:00 updated Relationships, Relationship_Notes, Taxonomy_Mappings
CWE Content Team MITRE 2008-10-14 +00:00 updated Description
CWE Content Team MITRE 2008-11-24 +00:00 updated Observed_Examples
CWE Content Team MITRE 2009-07-27 +00:00 updated Potential_Mitigations
CWE Content Team MITRE 2010-02-16 +00:00 updated Taxonomy_Mappings
CWE Content Team MITRE 2010-04-05 +00:00 updated Description, Name
CWE Content Team MITRE 2011-03-29 +00:00 updated Potential_Mitigations
CWE Content Team MITRE 2011-06-01 +00:00 updated Common_Consequences
CWE Content Team MITRE 2011-06-27 +00:00 updated Common_Consequences
CWE Content Team MITRE 2012-05-11 +00:00 updated Observed_Examples, References, Relationships
CWE Content Team MITRE 2012-10-30 +00:00 updated Potential_Mitigations
CWE Content Team MITRE 2014-07-30 +00:00 updated Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2017-05-03 +00:00 updated Potential_Mitigations
CWE Content Team MITRE 2017-11-08 +00:00 updated Applicable_Platforms
CWE Content Team MITRE 2020-02-24 +00:00 updated Potential_Mitigations, Relationships
CWE Content Team MITRE 2020-06-25 +00:00 updated Observed_Examples, Potential_Mitigations
CWE Content Team MITRE 2023-01-31 +00:00 updated Description, Potential_Mitigations
CWE Content Team MITRE 2023-04-27 +00:00 updated Relationships
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes
CWE Content Team MITRE 2025-12-11 +00:00 updated Applicable_Platforms, References, Weakness_Ordinalities
La información presentada en CVE Find proviene de varias fuentes de referencia cuidadosamente seleccionadas. Los datos CVE son proporcionados por MITRE Corporation y la Base de Datos Nacional de Vulnerabilidades (NVD). El catálogo de Vulnerabilidades Explotadas Conocidas (KEV) proviene de la Agencia de Seguridad de Infraestructura y Ciberseguridad (CISA), mientras que las puntuaciones EPSS provienen de FIRST.org. Además, los datos sobre debilidades de software (CWE) y patrones de ataque comunes (CAPEC) son mantenidos por MITRE Corporation, y la información sobre configuraciones de hardware y software (CPE) es proporcionada por la NVD.