php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #63890 Spoofchecker::isSuspicious crash on error variable
Submitted: 2013-01-03 00:57 UTC Modified: 2018-04-30 14:27 UTC
From: max at cxsecurity dot com Assigned: ab (profile)
Status: Closed Package: intl (PECL)
PHP Version: 5.4.10 OS: FreeBSD 9.1
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: max at cxsecurity dot com
New email:
PHP Version: OS:

 

 [2013-01-03 00:57 UTC] max at cxsecurity dot com
Description:
------------
Description:
Spoofchecker::isSuspicious — Checks if a given text contains any suspicious 
characters
public bool Spoofchecker::isSuspicious ( string $text [, string &$error ] )
This function is currently not documented; only its argument list is available.

Test:
cx@cx32:/test$ php c0poc.php 10000

cx@cx32:/test$ php c0poc.php 90000

Segmentation fault (core dumped)
cx@cx32:/test$ gdb /cxsecurity/php/54/bin/php

(gdb) r /test/c0poc.php 90000
Starting program: /cxsecurity/php/54/bin/php /test/c0poc.php 90000


Program received signal SIGSEGV, Segmentation fault.
0x08305230 in zend_hash_destroy (ht=0x92408e0)
    at /cxsecurity/php/54/Zend/zend_hash.c:560
560				ht->pDestructor(q->pData);

(gdb) r -v
PHP 5.4.10 (cli) (built: Jan  3 2013 00:08:09) 
Copyright (c) 1997-2012 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2012 Zend Technologies
[Inferior 1 (process 7500) exited normally]


Test script:
---------------
<?php 

$eee="
\$nx = new Spoofchecker();
\$nx->isSuspicious(1,\$var".str_repeat("[]",$argv[1]).");";

eval($eee);

?>


Expected result:
----------------
cx@cx32:/test$ php c0poc.php 90000



Actual result:
--------------
cx@cx32:/test$ php c0poc.php 90000

Segmentation fault (core dumped)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-04-09 17:17 UTC] ab@php.net
-Status: Open +Status: Verified
 [2016-04-09 17:17 UTC] ab@php.net
A quick check shows that it is still relevant for PHP 5 but is not reproduceable in PHP 7.

Thanks.
 [2018-04-30 14:27 UTC] ab@php.net
-Status: Verified +Status: Closed -Assigned To: +Assigned To: ab
 [2018-04-30 14:27 UTC] ab@php.net
Closing as it's not relevant anymore.

Thanks.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 15:01:29 2024 UTC