php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #69274 preg_match function can be bypass with array type value
Submitted: 2015-03-21 00:51 UTC Modified: 2015-03-21 01:52 UTC
From: codexb at gmail dot com Assigned:
Status: Not a bug Package: *General Issues
PHP Version: 5.6.7 OS: All
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: codexb at gmail dot com
New email:
PHP Version: OS:

 

 [2015-03-21 00:51 UTC] codexb at gmail dot com 
Description:
------------
1. test environment : windows php 5.6.7

2. technical detail

preg_match function compare regular espression and input of user.
but if input value is array it fail to compare.
As a result following script continuously execute. Attacker can bypass preg_macth function and take place side effect of various case. 




Test script:
---------------
this is poc of vulnerability.

http://192.168.0.2/test.php?input[]=abc'def

<?
$a = $_GET['input'];
if(preg_match("~[^0-9a-z+\\.]~",$a,$match)) { // special char check
	echo "you can't execute following script";
	exit;
}
system("touch filename");
echo "why i am here";
?>

Expected result:
----------------
"why i am here" print

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-03-21 01:52 UTC] rasmus@php.net
-Status: Open +Status: Not a bug
 [2015-03-21 01:52 UTC] rasmus@php.net 
preg_match() is well-documented to take a string. You are passing it an array. You need some input validation before your call to preg_match() there. See the filter functions.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Fri Mar 14 00:01:32 2025 UTC