Edit report at https://bugs.php.net/bug.php?id=69274&edit=1

  ID: 69274
  Updated by: rasmus@php.net
  Reported by: codexb@gmail.com
  Summary: preg_match function can be bypass with array type
-Status: Open
+Status: Not a bug
  Type: Bug
  Package: *General Issues
  Operating System: All
  PHP Version: 5.6.7
  Block user comment: N
  Private report: N

  New Comment:

preg_match() is well-documented to take a string. You are passing it an array. You need some input validation before your call to preg_match() there. See the filter functions.

Previous Comments:
[2015-03-21 00:51:54] codexb@gmail.com

1. test environment : windows php 5.6.7

2. technical detail

preg_match function compare regular espression and input of user.
but if input value is array it fail to compare.
As a result following script continuously execute. Attacker can bypass preg_macth function and take place side effect of various case.

Test script:
this is poc of vulnerability.[]=abc'def

$a = $_GET['input'];
if(preg_match("~[^0-9a-z+\\.]~",$a,$match)) { // special char check
  echo "you can't execute following script";
system("touch filename");
echo "why i am here";

Expected result:
"why i am here" print


Search Discussions

Discussion Posts


Related Discussions

Discussion Navigation
viewthread | post
posts ‹ prev | 2 of 2 | next ›
Discussion Overview
groupphp-bugs @
postedMar 21, '15 at 12:51a
activeMar 21, '15 at 1:52a



site design / logo © 2018 Grokbase