Various APC functions accept keys containing null bytes as input, leading to premature truncation of input. This issue affects HHVM versions prior to 3.30.12, all versions between 4.0.0 and 4.8.5, all versions between 4.9.0 and 4.23.1, as well as 4.24.0, 4.25.0, 4.26.0, 4.27.0, 4.28.0, and 4.28.1.
The product does not properly handle null bytes or NUL characters when passing data between different representations or components.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Hhvm | * | 3.30.12 (excluding) | |
| Hhvm | 4.0.0 (including) | 4.8.5 (including) | |
| Hhvm | 4.9.0 (including) | 4.23.1 (including) | |
| Hhvm | 4.24.0 (including) | 4.24.0 (including) | |
| Hhvm | 4.25.0 (including) | 4.25.0 (including) | |
| Hhvm | 4.26.0 (including) | 4.26.0 (including) | |
| Hhvm | 4.27.0 (including) | 4.27.0 (including) | |
| Hhvm | 4.28.0 (including) | 4.28.0 (including) | |
| Hhvm | 4.28.1 (including) | 4.28.1 (including) | |
| Hhvm | Ubuntu | bionic | * |
| Hhvm | Ubuntu | trusty | * |
| Hhvm | Ubuntu | xenial | * |
A null byte (NUL character) can have different meanings across representations or languages. For example, it is a string terminator in standard C libraries, but Perl and PHP strings do not treat it as a terminator. When two representations are crossed - such as when Perl or PHP invokes underlying C functionality - this can produce an interaction error with unexpected results. Similar issues have been reported for ASP. Other interpreters written in C might also be affected. The poison null byte is frequently useful in path traversal attacks by terminating hard-coded extensions that are added to a filename. It can play a role in regular expression processing in PHP.