Testing null byte vulnerability

Question

I am helping my friend to finish his module for a website. From my first impression looking at his modules, I found some very dangerous things, but he says that this method is secure.

Part of the code :

session_start();

  if(isset($_POST['foo'])) 
  {
    $_SESSION['foo'] = $_POST['foo'];
  }

  if(isset($_SESSION['foo']))
  {
    $foo['foo']  = $_SESSION['foo'];
  }

  if(is_file("inc/". $foo['foo'] . "/bar.php")) {
    // code
  }
  else {
    // code
  }

Note : file (inc/test/bar.php) exists;

I wanted to test his code, and I sent the following requests :

POST :: foo => test/bar.php%00

POST :: foo => test/bar.php\0

curl_setopt($ch, CURLOPT_POSTFIELDS, 'foo=test/bar.php' . chr(0x00));

But none of these methods worked. Is that code really secure? and how could someone send a null byte to bypass it's security. I want to demonstrate to my friend that his code is not secure.

Answer 1

I've found this solution, in short, it seems your code is somewhat vulnerable, and the sanitizing method is this:

There are a number of ways to prevent Poison Null Byte injections within PHP. These include escaping the NULL byte with a backslash, however, the most recommended way to do so is to completely remove the byte by using code similar to the following:

$foo['foo']= str_replace(chr(0), '', $foo['foo']);

I'm also not an expert in null-byte attacks, but this makes sense. Even more details here.