php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #69274 preg_match function can be bypass with array type value
Submitted: 2015-03-21 00:51 UTC Modified: 2015-03-21 01:52 UTC
From: codexb at gmail dot com Assigned:
Status: Not a bug Package: *General Issues
PHP Version: 5.6.7 OS: All
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: codexb at gmail dot com
New email:
PHP Version: OS:

 

 [2015-03-21 00:51 UTC] codexb at gmail dot com 
Description:
------------
1. test environment : windows php 5.6.7

2. technical detail

preg_match function compare regular espression and input of user.
but if input value is array it fail to compare.
As a result following script continuously execute. Attacker can bypass preg_macth function and take place side effect of various case. 




Test script:
---------------
this is poc of vulnerability.

http://192.168.0.2/test.php?input[]=abc'def

<?
$a = $_GET['input'];
if(preg_match("~[^0-9a-z+\\.]~",$a,$match)) { // special char check
	echo "you can't execute following script";
	exit;
}
system("touch filename");
echo "why i am here";
?>

Expected result:
----------------
"why i am here" print

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-03-21 01:52 UTC] rasmus@php.net
-Status: Open +Status: Not a bug
 [2015-03-21 01:52 UTC] rasmus@php.net 
preg_match() is well-documented to take a string. You are passing it an array. You need some input validation before your call to preg_match() there. See the filter functions.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Apr 25 13:01:30 2024 UTC