Personally, I think the best way to fight off a hacker is to become one yourself. If you know how to break a system, you should be able to figure out how to fix/patch it. Sometimes it becomes impractical, or even dangerous, to sit around and wait for someone to write a patch or fix for that critical exploit that has just been discovered while your mission critical servers are lying there vulnerable. And at the very least it will help you write better, more secure code for your applications when you have these things in mind.

The null byte terminator is a very important principle in software engineering. Simply put, it is just ASCII character 0. The null byte however is used to determine various values and limits within programming; most especially, it is used to determine the length of a given string. When a program hits the null terminator, the string is complete. In PHP, the null byte terminator can be represented by the string "%00".

Let's say you have a target machine that allows you to upload images. The upload page has a field to select your local image, and an upload button. As soon as you hit that buton and upload your image, the server-side php will run a check (probably using a substr or explode) and make sure the extension of the file you are uploading is (for example) ".png". If you were to try and upload a file called "god.php", it would throw an error and the page might complain about why you chose an invalid file type.

Now we try something a little different. After choosing the php file, we are going to change the name to "god.php%00.png" in the upload field. This time, when you click the button and upload the file, the script will either substr or explode the filename and see the extension it is looking for (".php" in this example). However, when the file is to be written to the file-system, it will notice the null byte terminator, and finish the filename before it write the ".png" extension. At this point, there will successfully be a "god.php" file on the server that a malicious hacker will be able to exploit.

Seems a little too easy, doesn't it? Well, one of the most important things to do here for system security is to parse the user input (which in this case becomes the filename of the file) and remove invalid input. Personally, I choose to use a regular expression to search for any non-alpha numeric character that is also not an underscore or dash, and remove them from the input; though there are many other ways in which one could handle this type of issue as well.

Update: As of PHP 5.3.4, file paths containing the NULL byte are considered invalid.