php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #73359 Bypass desactivated error reporting with set_error_handler()
Submitted: 2016-10-20 19:19 UTC Modified: 2016-10-29 15:46 UTC
From: me at michelgaschet dot gp Assigned:
Status: Not a bug Package: PHP options/info functions
PHP Version: 7.0.12 OS: All systems
Private report: No CVE-ID: None
View Add Comment Developer Edit
 [2016-10-20 19:19 UTC] me at michelgaschet dot gp 
Description:
------------
In a system with all error message unactivated for security reason (I.E Production server), it remains possible to reactivate the error messages for a malicious user 
having the ability to execute code although functions error_reporting()/ini_set() be disabled, with the set_error_handler() is used.

Test script:
---------------
<?php

echo phpversion();

echo "<br />";
	
function myErrorHandler($errno, $errstr, $errfile, $errline) {
    var_dump($errno);
    var_dump($errstr);
    var_dump($errfile);
    var_dump($errline);
    return true;
  }

$old_error_handler = set_error_handler("myErrorHandler");

lolel;

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-10-20 20:49 UTC] stas@php.net
-Type: Security +Type: Feature/Change Request
 [2016-10-20 20:49 UTC] stas@php.net 
If you can run code on the server, you don't have to do tricks with error handler - you can output and in general do anything error handler does directly from your code.
 [2016-10-29 15:46 UTC] nikic@php.net
-Status: Open +Status: Not a bug
 [2016-10-29 15:46 UTC] nikic@php.net 
This is exactly how it should work.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri Apr 26 07:01:32 2024 UTC