FAQ
Edit report at https://bugs.php.net/bug.php?id=70405&edit=1

  ID: 70405
  Updated by: rasmus@php.net
  Reported by: incubeftw@gmail.com
  Summary: Exploit
  Status: Not a bug
  Type: Bug
  Package: PHP Language Specification
  Operating System: Ubuntu 15.04
  PHP Version: 7.0.0RC1
  Block user comment: N
  Private report: N

  New Comment:

If the user has access to run PHP code then that same user could just readfile() the raw PHP file. Visibility is not a security feature. It is a convenience and code management feature.


Previous Comments:
------------------------------------------------------------------------
[2015-09-02 13:37:29] incubeftw@gmail.com

Let's say a user manages to upload a file that views all classes and then he selects a target class and dumps it and achieving all data that is defined in that class especially if mysql credentials is defined within class private/protected/public methods.

If I were you, I would make an option to disallow Class -> Array and var_dump/print_r on Class so we could choose that inside our php.ini whenever we would like.

------------------------------------------------------------------------
[2015-09-02 10:14:25] kalle@php.net

This is not a bug.

The private and protected keywords are visibility modifiers, meaning they allow you to modify (or not) on certain properties.

Checkout the documentation[1] for var_dump(), it is already explicitly written there that no matter the visibility modifiers are for properties, everything is read. The object to array cast is described here[2].

[1] http://php.net/var_dump
[2] http://php.net/language.types.array#language.types.array.casting

------------------------------------------------------------------------
[2015-09-02 09:55:33] incubeftw@gmail.com

Description:
------------
You can access any variable READ-ONLY on every class by dumping it.
Getting it's value is even easier since you can just cast it to an array and then dump it to file. It does NOT matter if it is a protected variable or not.

Test script:
---------------
<?php
class A {
  private $mysqlUser = 'root';
  protected $mysqlPassword = 'test';
  private $mysqlDatabase = 'myDatabase';
}

$classA = new A();
echo "<pre>";

// Exploit #1
var_dump($classA);

// Exploit #2
foreach((array)$classA as $x => $y) {
  echo "X => ".$x." Y => ".$y."\n";
}



------------------------------------------------------------------------

Search Discussions

Discussion Posts

Previous

Related Discussions

Discussion Navigation
viewthread | post
posts ‹ prev | 3 of 3 | next ›
Discussion Overview
groupphp-standards @
categoriesphp
postedSep 2, '15 at 10:14a
activeSep 2, '15 at 1:57p
posts3
users3
websitephp.net

People

Translate

site design / logo © 2017 Grokbase