php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #35960 preg_replace exploit using 'e' (executor)
Submitted: 2006-01-10 12:14 UTC Modified: 2006-01-10 12:37 UTC
From: djmaze at cpgnuke dot com Assigned:
Status: Not a bug Package: *Regular Expressions
PHP Version: 5.1.1 OS: Windows
Private report: No CVE-ID: None
 [2006-01-10 12:14 UTC] djmaze at cpgnuke dot com
Description:
------------
When using preg_replace() with the 'e' modifier you can exploit variables since the $ sign doesn't get backslashed.
Tested on several PHP versions both 4.x and 5.x

Reproduce code:
---------------
<?php
error_reporting(E_ALL);
$exploited = 'my password';
$exploit = '[php]$exploited[/php]';
function highlight_php($txt)
{
	return "<pre>$txt</pre>";
}
echo preg_replace('#\[PHP\](.*?)\[/PHP\]#sie', 'highlight_php("\\1")', $exploit); # exploited

echo preg_replace('#\[PHP\](.*?)\[/PHP\]#sie', 'highlight_php(\'\\1\')', $exploit); # no exploit
?>



Expected result:
----------------
<pre>$exploited</pre>

Actual result:
--------------
<pre>my password</pre>

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-01-10 12:20 UTC] tony2001@php.net
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

echo $exploited; is much more easier way to output a variable.
 [2006-01-10 12:31 UTC] djmaze at cpgnuke dot com
If you preg_replace() submitted data thru $_GET or $_POST i can for example put in $_GET something like: $_GET['input'] = '$foobar';

This means either update the documentation with an note stating that using the 'e' modifier the function doesn't backslash $ or force it to do so.

Because "echo $_GET['input'];" outputs $foobar
and the preg_replace() outputs the content of $foobar
 [2006-01-10 12:37 UTC] tony2001@php.net
e
If this modifier is set, preg_replace() does normal substitution of backreferences in the replacement string, *evaluates it as PHP code*, and uses the result for replacing the search string. Single and double quotes are escaped by backslashes in substituted backreferences.
(c) http://php.net/manual/en/reference.pcre.pattern.modifiers.php

I don't see a reason for "e" to backslash "$". 
This is expected and well documented.
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Nov 19 01:31:42 2017 UTC