PHP security

[Robert Larsen <robert () the-playground dk>]

Hi

I have been reading up on a couple of local file inclusion techniques in
PHP and cannot seem to get it to work.
One was to insert a null character to remove an ending. Take this script:

<?php
   $include_path = $_REQUEST['file'] . ".php";
   echo "Including $include_path";
   include($include_path);
?>

If I used the following URL: http://localhost/test.php?file=/etc/passwd%00

That was supposed to include /etc/passwd but I get the following error
message:
--------------------------------------------------------------------
Including /etc/passwd\0.php
*Warning*: include(/etc/passwd\0.php) [function.include
<http://localhost/function.include>]: failed to open stream: No such
file or directory in */var/www/test.php* on line *4*

*Warning*: include() [function.include
<http://localhost/function.include>]: Failed opening '/etc/passwd\0.php'
for inclusion (include_path='.:/usr/share/php:/usr/share/pear') in
*/var/www/test.php* on line *4*
--------------------------------------------------------------------
Does the null character technique not work with PHP or have I done
something wrong ?

The next technique I thought was quite interesting. The thought was
including /proc/self/environ on Linux and inserting PHP code into it by
by setting your useragent to something like:
User-Agent: <?php php_info(); ?>

But the following code:
<?php
   include("/proc/self/environ");
?>

...doesn't work as it seems /proc/self/environ is owned by root and is
only readable by the owner and Apache is running as the www-data user.
How is that ? Is that because Apache starts as a root owned process
which loses its privileges when a connection has been received ?

I hope some of you can shed some light on this.

Thanks in advance