CWE-626
Null Byte Interaction Error (Poison Null Byte)
Draft
2007-05-07
00h00 +00:00
00h00 +00:00
2025-12-11
00h00 +00:00
00h00 +00:00
Notifications pour un CWE
Restez informé de toutes modifications pour un CWE spécifique.
Nom: Null Byte Interaction Error (Poison Null Byte)
The product does not properly handle null bytes or NUL characters when passing data between different representations or components.
Informations générales
Modes d'introduction
ImplementationPlateformes applicables
Langue
Name: PHP (Undetermined)Name: Perl (Undetermined)
Name: ASP.NET (Undetermined)
Conséquences courantes
| Portée | Impact | Probabilité |
|---|---|---|
| Integrity | Unexpected State |
Exemples observés
| Références | Description |
|---|---|
CVE-2005-4155 | NUL byte bypasses PHP regular expression check |
CVE-2005-3153 | inserting SQL after a NUL byte bypasses allowlist regexp, enabling SQL injection |
Mesures d’atténuation potentielles
Phases : ImplementationRemove null bytes from all incoming strings.
Méthodes de détection
Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)Notes de cartographie des vulnérabilités
Justification : This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.Commentaire : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.
Notes
Current usage of "poison null byte" is typically related to this C/Perl/PHP interaction error, but the original term in 1998 was applied to an off-by-one buffer overflow involving a null byte.There are not many CVE examples, because the poison NULL byte is a design limitation, which typically is not included in CVE by itself. It is typically used as a facilitator manipulation to widen the scope of potential attacks against other vulnerabilities.
Références
REF-514
Perl CGI problemsRain Forest Puppy.
https://phrack.org/issues/55/7
REF-515
0x00 vs ASP file upload scriptsBrett Moore.
http://www.security-assessment.com/Whitepapers/0x00_vs_ASP_File_Uploads.pdf
REF-516
ShAnKaR: multiple PHP application poison NULL byte vulnerabilityShAnKaR.
https://seclists.org/fulldisclosure/2006/Sep/185
Soumission
| Nom | Organisation | Date | Date de publication | Version |
|---|---|---|---|---|
| CWE Content Team | MITRE | Draft 6 |
Modifications
| Nom | Organisation | Date | Commentaire |
|---|---|---|---|
| Eric Dalci | Cigital | updated Time_of_Introduction | |
| CWE Content Team | MITRE | updated Applicable_Platforms, Description, Relationships, Observed_Example, Other_Notes, Weakness_Ordinalities | |
| CWE Content Team | MITRE | updated Other_Notes | |
| CWE Content Team | MITRE | updated Common_Consequences | |
| CWE Content Team | MITRE | updated Common_Consequences | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Potential_Mitigations | |
| CWE Content Team | MITRE | updated Description, Other_Notes, Research_Gaps, Terminology_Notes | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Observed_Examples, Relationships | |
| CWE Content Team | MITRE | updated References, Relationships | |
| CWE Content Team | MITRE | updated Mapping_Notes | |
| CWE Content Team | MITRE | updated References | |
| CWE Content Team | MITRE | updated Detection_Factors |
