serf -- SSL Certificate Null Byte Poisoning
serf Development list reports:
Serf provides APIs to retrieve information about a certificate. These
APIs return the information as NUL terminated strings (commonly called C
strings). X.509 uses counted length strings which may include a NUL byte.
This means that a library user will interpret any information as ending
upon seeing this NUL byte and will only see a partial value for that field.
Attackers could exploit this vulnerability to create a certificate that a
client will accept for a different hostname than the full certificate is
actually for by embedding a NUL byte in the certificate.
This can lead to a man-in-the-middle attack. There are no known instances
of this problem being exploited in the wild and in practice it should be
difficult to actually exploit this vulnerability.
Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright