This could be evidence of an attempted Poison NULL Byte Attack. PHP and Perl do not use NULL-terminated strings, but most underlying systems (anything C based) do.
This can lead to a certain class of attack where the attacker constructs a string that the programmer intended to be impossible. For example, if you were using a C library to include local file content into a web page, in your PHP you might do something like;
grabLocalFile($_GET['file_name'] . ".php");
By manually appending the ".php"
it can appear that some security is offered - in that only file names ending with .php
can be included. However if an attacker is able to send a request such as;
example.com/index.php?file_name=/etc/passwd\0
The null byte \0
will be treated as part of the string by php, which ends up calling;
grabLocalFile("/etc/passwd\0.php");
When this string reaches the underlying system, the NULL byte will be treated as a string terminator, and the .php
will be ignored. Now the attacker has included /etc/passwd
into the web page he is viewing, despite the developer's attempt to enforce inclusion only of files ending in ".php"
To mitigate these kinds of attacks you can strip out the NULL byte altogether by doing something like this
str_replace(chr(0), '', $string);
Regardless, suhosin looks like it is properly configured to defend against this class of attack.