PHP :: Bug #35960 :: preg_replace exploit using 'e' (executor)

Bug #35960	preg_replace exploit using 'e' (executor)
Submitted:	2006-01-10 12:14 UTC	Modified:	2006-01-10 12:37 UTC
From:	djmaze at cpgnuke dot com	Assigned:
Status:	Not a bug	Package:	*Regular Expressions
PHP Version:	5.1.1	OS:	Windows
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	djmaze at cpgnuke dot com
New email:
PHP Version:		OS:

New Comment:

[2006-01-10 12:14 UTC] djmaze at cpgnuke dot com

Description:
------------
When using preg_replace() with the 'e' modifier you can exploit variables since the $ sign doesn't get backslashed.
Tested on several PHP versions both 4.x and 5.x

Reproduce code:
---------------
<?php
error_reporting(E_ALL);
$exploited = 'my password';
$exploit = '[php]$exploited[/php]';
function highlight_php($txt)
{
	return "<pre>$txt</pre>";
}
echo preg_replace('#\[PHP\](.*?)\[/PHP\]#sie', 'highlight_php("\\1")', $exploit); # exploited

echo preg_replace('#\[PHP\](.*?)\[/PHP\]#sie', 'highlight_php(\'\\1\')', $exploit); # no exploit
?>



Expected result:
----------------
<pre>$exploited</pre>

Actual result:
--------------
<pre>my password</pre>

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2006-01-10 12:20 UTC] tony2001@php.net

Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

echo $exploited; is much more easier way to output a variable.

[2006-01-10 12:31 UTC] djmaze at cpgnuke dot com

If you preg_replace() submitted data thru $_GET or $_POST i can for example put in $_GET something like: $_GET['input'] = '$foobar';

This means either update the documentation with an note stating that using the 'e' modifier the function doesn't backslash $ or force it to do so.

Because "echo $_GET['input'];" outputs $foobar
and the preg_replace() outputs the content of $foobar

[2006-01-10 12:37 UTC] tony2001@php.net

e
If this modifier is set, preg_replace() does normal substitution of backreferences in the replacement string, *evaluates it as PHP code*, and uses the result for replacing the search string. Single and double quotes are escaped by backslashes in substituted backreferences.
(c) http://php.net/manual/en/reference.pcre.pattern.modifiers.php

I don't see a reason for "e" to backslash "$". 
This is expected and well documented.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sun Nov 02 13:00:01 2025 UTC