php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #70405 Exploit
Submitted: 2015-09-02 09:55 UTC Modified: 2015-09-02 15:31 UTC
From: incubeftw at gmail dot com Assigned:
Status: Not a bug Package: Scripting Engine problem
PHP Version: 7.0.0RC1 OS: Ubuntu 15.04
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: incubeftw at gmail dot com
New email:
PHP Version: OS:

 

 [2015-09-02 09:55 UTC] incubeftw at gmail dot com 
Description:
------------
You can access any variable READ-ONLY on every class by dumping it.
Getting it's value is even easier since you can just cast it to an array and then dump it to file. It does NOT matter if it is a protected variable or not.

Test script:
---------------
<?php
class A {
	private   $mysqlUser = 'root';
	protected $mysqlPassword = 'test';
	private   $mysqlDatabase = 'myDatabase';
}

$classA = new A();
echo "<pre>";

// Exploit #1
var_dump($classA);

// Exploit #2
foreach((array)$classA as $x => $y) {
	echo "X => ".$x." Y => ".$y."\n";
}

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-09-02 10:14 UTC] kalle@php.net
-Status: Open +Status: Not a bug -Type: Security +Type: Bug
 [2015-09-02 10:14 UTC] kalle@php.net 
This is not a bug.

The private and protected keywords are visibility modifiers, meaning they allow you to modify (or not) on certain properties.

Checkout the documentation[1] for var_dump(), it is already explicitly written there that no matter the visibility modifiers are for properties, everything is read. The object to array cast is described here[2].

[1] http://php.net/var_dump
[2] http://php.net/language.types.array#language.types.array.casting
 [2015-09-02 13:37 UTC] incubeftw at gmail dot com 
Let's say a user manages to upload a file that views all classes and then he selects a target class and dumps it and achieving all data that is defined in that class especially if mysql credentials is defined within class private/protected/public methods.

If I were you, I would make an option to disallow Class -> Array and var_dump/print_r on Class so we could choose that inside our php.ini whenever we would like.
 [2015-09-02 13:57 UTC] rasmus@php.net 
If the user has access to run PHP code then that same user could just readfile() the raw PHP file. Visibility is not a security feature. It is a convenience and code management feature.
 [2015-09-02 15:31 UTC] stas@php.net
-Package: PHP Language Specification +Package: Scripting Engine problem
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Wed Apr 24 10:01:31 2024 UTC