|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2017-12-10 19:37 UTC] cmb@php.net
[2017-12-12 08:02 UTC] stas@php.net
-Status: Open
+Status: Not a bug
[2017-12-12 08:02 UTC] stas@php.net
[2017-12-14 15:19 UTC] hanno at hboeck dot de
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Thu Apr 25 01:01:30 2024 UTC |
Description: ------------ The FILTER_VALIDATE_DOMAIN filter allows characters like spaces, semicolons and angle brackets. These can't be part of a valid domain. But more importantly they make code that relies on FILTER_VALIDATE_DOMAIN prone to script injections. I'll put an example script below that shows this. It takes a GET variable and first checks it with FILTER_VALIDATE_DOMAIN, afterwards passes the output to the ping command and will give the output to a user. Without knowing these limitations of FILTER_VALIDATE_DOMAIN this script appears safe, as one doesn't expect a domain name to have any characters that can pose trouble here. But it leads to a trivial script injection, e.g. by passing something "test; echo foo > bar" (creating a file "bar" on the targeted system) in the "domain" parameter. FILTER_VALIDATE_DOMAIN is currently undocumented, so I think it's probably not widely used. Still this looks like a serious security problem to me. This affects PHP 7.0, 7.1 and 7.2. PHP 5.6 didn't contain FILTER_VALIDATE_DOMAIN yet. Test script: --------------- <?php $r = filter_var($_GET['domain'], FILTER_VALIDATE_DOMAIN); if ($r === false) die("invalid domain"); system("ping -c 1 ".$_GET['domain']); Expected result: ---------------- FILTER_VALIDATE_DOMAIN should reject input with characters that can't be part of a legitimate domain name. Actual result: -------------- It accepts various problematic characters (space, ;, >, <) that can easily lead to security problems if one relies on the filter.