php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #73359 Bypass desactivated error reporting with set_error_handler()
Submitted: 2016-10-20 19:19 UTC Modified: 2016-10-29 15:46 UTC
From: me at michelgaschet dot gp Assigned:
Status: Not a bug Package: PHP options/info functions
PHP Version: 7.0.12 OS: All systems
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: me at michelgaschet dot gp
New email:
PHP Version: OS:

 

 [2016-10-20 19:19 UTC] me at michelgaschet dot gp
Description:
------------
In a system with all error message unactivated for security reason (I.E Production server), it remains possible to reactivate the error messages for a malicious user 
having the ability to execute code although functions error_reporting()/ini_set() be disabled, with the set_error_handler() is used.

Test script:
---------------
<?php

echo phpversion();

echo "<br />";
	
function myErrorHandler($errno, $errstr, $errfile, $errline) {
    var_dump($errno);
    var_dump($errstr);
    var_dump($errfile);
    var_dump($errline);
    return true;
  }

$old_error_handler = set_error_handler("myErrorHandler");

lolel;


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-10-20 20:49 UTC] stas@php.net
-Type: Security +Type: Feature/Change Request
 [2016-10-20 20:49 UTC] stas@php.net
If you can run code on the server, you don't have to do tricks with error handler - you can output and in general do anything error handler does directly from your code.
 [2016-10-29 15:46 UTC] nikic@php.net
-Status: Open +Status: Not a bug
 [2016-10-29 15:46 UTC] nikic@php.net
This is exactly how it should work.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 12:01:31 2024 UTC