PHP :: Bug #76671 :: bypass strpos verification

Bug #76671	bypass strpos verification
Submitted:	2018-07-27 01:33 UTC	Modified:	2019-01-28 09:02 UTC
From:	guilhermeassmannn at gmail dot com	Assigned:
Status:	Not a bug	Package:	Strings related
PHP Version:	Irrelevant	OS:	MacOS High Sierra & Ubuntu 16.04
Private report:	No	CVE-ID:	None

View Developer Edit

[2018-07-27 01:33 UTC] guilhermeassmannn at gmail dot com

Description:
------------
The bug is more related to when we send a string with encode to the strpos(), when we sent a string with double encode we were able to bypass the verification, using %2570hp if the case is like strpos($string, "php").





Test script:
---------------
$x = $_GET['x']; //?x=file:///var/www/html/readme.%2570hp
$pos = strpos($x,"php");
if($pos){
        exit("denied");
}
$ch = curl_init();
curl_setopt($ch,CURLOPT_URL,"$x");
curl_setopt($ch,CURLOPT_RETURNTRANSFER,true);
$result = curl_exec($ch);
echo $result;

Expected result:
----------------
denied

Actual result:
--------------
<?php
//readme
?>

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2018-07-27 02:00 UTC] rasmus@php.net

-Status: Open +Status: Not a bug

[2018-07-27 02:00 UTC] rasmus@php.net

strpos() is a low-level string manipulation function. If the string you are parsing has a higher-level meaning, you need to handle that yourself before calling strpos(). That might mean calling urldecode() if you know the string is an encoded url.

[2018-07-27 02:56 UTC] guilhermeassmannn at gmail dot com

ok but, using urldecode() we can do with triple encode,so the correct would be to never use the strpos for the user?

[2018-07-27 10:24 UTC] a at b dot c dot de

Well, you shouldn't be trying to prevent attacks by second-guessing what an attacker might do. Instead of *forbidding* certain requests, only *allow* requests that you know are safe.

[2018-07-27 11:29 UTC] rasmus@php.net

Of course not, but strpos() can't possibly know what sort of context your string is going to be used in. Only you know it is a URL. In this particular case you could simply check for '%' and urldecode() until they are gone.

eg. while(strstr($url,'%')) $url = urldecode($url);

[2019-01-28 05:29 UTC] aa963577242 at gmail dot com

who say this is not bug. i just  say you don't know web security.-_-

[2019-01-28 05:41 UTC] aa963577242 at gmail dot com

ok,,,,,,,i am sorry, i  think this is not strpos function bug,but this is another bug......

[2019-01-28 06:47 UTC] spam2 at rhsoft dot net

yes, in front of the keyboard when use low-level string functions for things they are not made for

[2019-01-28 09:02 UTC] yohgaki@php.net

In general, multiple decodes should not be done for security reasons.

I don't see problematic multiple decodes in this script, but I see improper validation. i.e. URL protocol must be validated always by whitelist and URL decoded value $x must not include % almost always by whitelist. 

If pathname that has '%' is allowed by app spec, the programmer must implement proper validation for it by themselves.

"Security feature/software/code" is not "Software security". i.e. Developers must establish "Software security" by their own. This is good example.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Mon Mar 31 22:01:29 2025 UTC