FAQ
Edit report at https://bugs.php.net/bug.php?id=69274&edit=1

  ID: 69274
  Updated by: rasmus@php.net
  Reported by: codexb@gmail.com
  Summary: preg_match function can be bypass with array type
                      value
-Status: Open
+Status: Not a bug
  Type: Bug
  Package: *General Issues
  Operating System: All
  PHP Version: 5.6.7
  Block user comment: N
  Private report: N

  New Comment:

preg_match() is well-documented to take a string. You are passing it an array. You need some input validation before your call to preg_match() there. See the filter functions.


Previous Comments:
------------------------------------------------------------------------
[2015-03-21 00:51:54] codexb@gmail.com

Description:
------------
1. test environment : windows php 5.6.7

2. technical detail

preg_match function compare regular espression and input of user.
but if input value is array it fail to compare.
As a result following script continuously execute. Attacker can bypass preg_macth function and take place side effect of various case.




Test script:
---------------
this is poc of vulnerability.

http://192.168.0.2/test.php?input[]=abc'def

<?
$a = $_GET['input'];
if(preg_match("~[^0-9a-z+\\.]~",$a,$match)) { // special char check
  echo "you can't execute following script";
  exit;
}
system("touch filename");
echo "why i am here";
?>

Expected result:
----------------
"why i am here" print



------------------------------------------------------------------------

Search Discussions

Discussion Posts

Previous

Related Discussions

Discussion Navigation
viewthread | post
posts ‹ prev | 2 of 2 | next ›
Discussion Overview
groupphp-bugs @
categoriesphp
postedMar 21, '15 at 12:51a
activeMar 21, '15 at 1:52a
posts2
users2
websitephp.net

People

Translate

site design / logo © 2017 Grokbase