PHP :: Bug #76671 :: bypass strpos verification

Bug #76671	bypass strpos verification
Submitted:	2018-07-27 01:33 UTC	Modified:	2019-01-28 09:02 UTC
From:	guilhermeassmannn at gmail dot com	Assigned:
Status:	Not a bug	Package:	Strings related
PHP Version:	Irrelevant	OS:	MacOS High Sierra & Ubuntu 16.04
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	guilhermeassmannn at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2018-07-27 01:33 UTC] guilhermeassmannn at gmail dot com

Description:
------------
The bug is more related to when we send a string with encode to the strpos(), when we sent a string with double encode we were able to bypass the verification, using %2570hp if the case is like strpos($string, "php").





Test script:
---------------
$x = $_GET['x']; //?x=file:///var/www/html/readme.%2570hp
$pos = strpos($x,"php");
if($pos){
        exit("denied");
}
$ch = curl_init();
curl_setopt($ch,CURLOPT_URL,"$x");
curl_setopt($ch,CURLOPT_RETURNTRANSFER,true);
$result = curl_exec($ch);
echo $result;

Expected result:
----------------
denied

Actual result:
--------------
<?php
//readme
?>

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2018-07-27 02:00 UTC] rasmus@php.net

-Status: Open +Status: Not a bug

[2018-07-27 02:00 UTC] rasmus@php.net

strpos() is a low-level string manipulation function. If the string you are parsing has a higher-level meaning, you need to handle that yourself before calling strpos(). That might mean calling urldecode() if you know the string is an encoded url.

[2018-07-27 02:56 UTC] guilhermeassmannn at gmail dot com

ok but, using urldecode() we can do with triple encode,so the correct would be to never use the strpos for the user?

[2018-07-27 10:24 UTC] a at b dot c dot de

Well, you shouldn't be trying to prevent attacks by second-guessing what an attacker might do. Instead of *forbidding* certain requests, only *allow* requests that you know are safe.

[2018-07-27 11:29 UTC] rasmus@php.net

Of course not, but strpos() can't possibly know what sort of context your string is going to be used in. Only you know it is a URL. In this particular case you could simply check for '%' and urldecode() until they are gone.

eg. while(strstr($url,'%')) $url = urldecode($url);

[2019-01-28 05:29 UTC] aa963577242 at gmail dot com

who say this is not bug. i just  say you don't know web security.-_-

[2019-01-28 05:41 UTC] aa963577242 at gmail dot com

ok,,,,,,,i am sorry, i  think this is not strpos function bug,but this is another bug......

[2019-01-28 06:47 UTC] spam2 at rhsoft dot net

yes, in front of the keyboard when use low-level string functions for things they are not made for

[2019-01-28 09:02 UTC] yohgaki@php.net

In general, multiple decodes should not be done for security reasons.

I don't see problematic multiple decodes in this script, but I see improper validation. i.e. URL protocol must be validated always by whitelist and URL decoded value $x must not include % almost always by whitelist. 

If pathname that has '%' is allowed by app spec, the programmer must implement proper validation for it by themselves.

"Security feature/software/code" is not "Software security". i.e. Developers must establish "Software security" by their own. This is good example.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Fri Nov 07 07:00:02 2025 UTC