php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #73536 var_dump ignore private permitions in class
Submitted: 2016-11-16 08:49 UTC Modified: 2016-11-24 10:44 UTC
From: peter dot mlich at volny dot cz Assigned:
Status: Not a bug Package: Unknown/Other Function
PHP Version: 5.6.28 OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: peter dot mlich at volny dot cz
New email:
PHP Version: OS:

 

 [2016-11-16 08:49 UTC] peter dot mlich at volny dot cz 
Description:
------------
---
From manual page: http://www.php.net/function.var-dump
---

var_dump ignore class permitions 'private'.

Php 5.5.12.
Cannot be upgraded, wamp server problem. But, its only for programing and testing. On server have top version, but not run test code there.

Test script:
---------------
class classDb
{
private $table;
public $structure;
function __construct($structure)
    {
    $this->table = array(1,2,3);
    }
}
$users_db = new classDb('classUser');
var_dump($users_db); // 2
var_dump($users_db->table); // 1

// 1 - Fatal error: Cannot access private property classDb::$table in C:\wamp\www\
// 2 - Show all + all in private $users_db->table :) easy for hackers

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-11-16 09:52 UTC] krakjoe@php.net
-Type: Security +Type: Feature/Change Request
 [2016-11-16 10:08 UTC] stas@php.net
-Status: Open +Status: Not a bug
 [2016-11-16 10:08 UTC] stas@php.net 
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

This is how var_dump is supposed to work. It's a debug function.
 [2016-11-20 08:02 UTC] peter dot mlich at volny dot cz 
If it not bug, then lucky day for hackers. If i hide db name, psw dto class, hacker can easy show it only with php command :)
I think, this is very stupid bug. I now need find new methode to hide password.
 [2016-11-20 15:45 UTC] rasmus@php.net 
If a hacker has access to write arbitrary PHP on a site he can simply open up the file containing the private properties and look at them. The access level of a property is not a security feature.
 [2016-11-23 06:51 UTC] peter dot mlich at volny dot cz 
Must know file path. But, if i open file do $tmp and rewrite to clas, unset($tmp), unset($CFG), hacker no have information.
 [2016-11-23 08:12 UTC] rasmus@php.net 
A simple call to get_included_files() or a shell out to a grep will trivially get the file path.
 [2016-11-24 07:33 UTC] peter dot mlich at volny dot cz 
example:

$path = '...';
$str = file_get_content($path);
$CFG = parseXYZ($str);
$my_class->setCfg($CFG);
unset($path);
unset($CFG);
var_dump($path);

You not know $path, if you not read this file. You can use file_get_content. But, i can use fileReader.php, read from directory blocked by .htaccess for only read for only this file. I can counting reading files in private variable. Readed cfg or not. You cannot use double times to read one file.
 [2016-11-24 10:44 UTC] yohgaki@php.net 
Just curious. If you want to steal "private" property info, why don't you use debug_zval_dump()?

$ php -r 'class foo { private $p = "abc"; } $o = new foo; debug_zval_dump($o);'
object(foo)#1 (1) refcount(2){
  ["p":"foo":private]=>
  string(3) "abc" refcount(2)
}

I guess you would like to hide sensitive information in script/object variable from malicious "modules"/"extensions", but it's impossible for many languages/platforms. Java does not allow to dump objects like PHP. Not sure how well other scripting languages hide private property (and app installation path). Are there scripting languages hide private property well and/or hide file path information? (I'm curious about path, too. You can get file path by __FILE__ constant to know app installation path)


Mitigation:
var_dump()/debug_zval_dump()/get_included_files()/etc are debugging functions. Disable them by disable_functions INI. Or applications can tokenize module/extension PHP code and check unwanted functions. This is very fragile security measure because of nature of blacklist security, though.

disable_functions is INI_SYSTEM
main/main.c:562:	PHP_INI_ENTRY("disable_functions",			"",			PHP_INI_SYSTEM,		NULL)

I guess most secure apps are using environment variables for security sensitive information, so getenv() should be restricted in this case. However, getenv() may be used for good reasons.

We may consider change it to INI_PERDIR, perhaps?
It may not be feasible. I don't check the code.

"Securing PHP application module/extension" is interesting topic, but we don't provide it now.

Suggestions are welcome. e.g. Framework that is relatively secure PHP script module/extension, hides application's sensitive information.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri May 03 14:01:30 2024 UTC