php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #76671 bypass strpos verification
Submitted: 2018-07-27 01:33 UTC Modified: 2019-01-28 09:02 UTC
From: guilhermeassmannn at gmail dot com Assigned:
Status: Not a bug Package: Strings related
PHP Version: Irrelevant OS: MacOS High Sierra & Ubuntu 16.04
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: guilhermeassmannn at gmail dot com
New email:
PHP Version: OS:

 

 [2018-07-27 01:33 UTC] guilhermeassmannn at gmail dot com
Description:
------------
The bug is more related to when we send a string with encode to the strpos(), when we sent a string with double encode we were able to bypass the verification, using %2570hp if the case is like strpos($string, "php").





Test script:
---------------
$x = $_GET['x']; //?x=file:///var/www/html/readme.%2570hp
$pos = strpos($x,"php");
if($pos){
        exit("denied");
}
$ch = curl_init();
curl_setopt($ch,CURLOPT_URL,"$x");
curl_setopt($ch,CURLOPT_RETURNTRANSFER,true);
$result = curl_exec($ch);
echo $result;

Expected result:
----------------
denied

Actual result:
--------------
<?php
//readme
?>


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-07-27 02:00 UTC] rasmus@php.net
-Status: Open +Status: Not a bug
 [2018-07-27 02:00 UTC] rasmus@php.net
strpos() is a low-level string manipulation function. If the string you are parsing has a higher-level meaning, you need to handle that yourself before calling strpos(). That might mean calling urldecode() if you know the string is an encoded url.
 [2018-07-27 02:56 UTC] guilhermeassmannn at gmail dot com
ok but, using urldecode() we can do with triple encode,so the correct would be to never use the strpos for the user?
 [2018-07-27 10:24 UTC] a at b dot c dot de
Well, you shouldn't be trying to prevent attacks by second-guessing what an attacker might do. Instead of *forbidding* certain requests, only *allow* requests that you know are safe.
 [2018-07-27 11:29 UTC] rasmus@php.net
Of course not, but strpos() can't possibly know what sort of context your string is going to be used in. Only you know it is a URL. In this particular case you could simply check for '%' and urldecode() until they are gone.

eg. while(strstr($url,'%')) $url = urldecode($url);
 [2019-01-28 05:29 UTC] aa963577242 at gmail dot com
who say this is not bug. i just  say you don't know web security.-_-
 [2019-01-28 05:41 UTC] aa963577242 at gmail dot com
ok,,,,,,,i am sorry, i  think this is not strpos function bug,but this is another bug......
 [2019-01-28 06:47 UTC] spam2 at rhsoft dot net
yes, in front of the keyboard when use low-level string functions for things they are not made for
 [2019-01-28 09:02 UTC] yohgaki@php.net
In general, multiple decodes should not be done for security reasons.

I don't see problematic multiple decodes in this script, but I see improper validation. i.e. URL protocol must be validated always by whitelist and URL decoded value $x must not include % almost always by whitelist. 

If pathname that has '%' is allowed by app spec, the programmer must implement proper validation for it by themselves.

"Security feature/software/code" is not "Software security". i.e. Developers must establish "Software security" by their own. This is good example.
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Sat Dec 07 09:01:24 2019 UTC