Just one more example. Even when using double quotes, it is possible to execute code:
<?php $a = '___! ${`rm -rf /tmp/sess_*`} !___'; $b = preg_replace("/!(.*)!/e", "print(\"\\1\");", $a); ?> Again, assume $a comes from a tainted source. -James On Mon, 3 Feb 2003, James E. Flemer wrote: > A warning about preg_replace() command needs to be added to > the docs page for this command. The preg_replace() command > can use the "/e" modifier to have the "replacement" be > eval()d by PHP, just like perl. > > There is a high potential for exploitable PHP code if a > programmer uses the /e modifier and does not use quotes > around the back references (backrefs). Without quotes, > arbitrary commands may be executed by using the backtick > operator. Other commands may be executed as well, but are > more difficult, since addslashes() prevents the characters > ['"\\\0] from being used. > > An clear and explicit warning should be added to the doc > page for preg_replace, indicating the backrefs must always > be quoted. Single quotes are preferable, since double > quotes allow variable expansion. > > See the messages below for examples of how this may be > exploited. (Assume that $a comes from an untrusted source, > i.e. a get/post/cookie/header variable.) > > -James > > ---------- Forwarded message ---------- > Date: Mon, 3 Feb 2003 01:04:23 -0500 (EST) > From: James E. Flemer <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: Re: [PHP-DEV] preg_replace oddity [exploitable] > > I found a more evil example: > > <?php > $a = "___! `rm -rf /tmp/sess_*` !___"; > $b = preg_replace("/!(.*)!/e", "print(\\1);", $a); > ?> > > This happily executes "rm -rf /tmp/sess_*". I will not > give out more examples, but if one examines the code for > addslashes() it is quite obvious what you can an cannot do > here. Thus it is clearly a Bad Thing for someone to use > preg_replace with the /e modifier and not use quotes around > the \\n or $n backrefs. > > The docs should be updated to include a very noticeable > warning about this hole. I am contemplating possible > solutions for this problem... > > Also as a side note, it does not seem to be possible to use > 'echo' as part of the expression, print must be used. (Yes > I know why, just pointing it out.) > > -James > > > On Thu, 30 Jan 2003, James E. Flemer wrote: > > > Can someone explain what is going on here: > > > > --- foo.php --- > > <?php > > $a = "___! 52); echo(42 !___"; > > $b = preg_replace("/!(.*)!/e", "print(\\1);", $a); > > print("\n---\na: $a\nb: $b\n"); > > ?> > > --- end --- > > --- output --- > > 52 > > --- > > a: ___! 52); echo(42 !___ > > b: ___1___ > > --- end --- > > > > I understand that one is supposed to use single quotes > > around the \\1 in the above preg_replace. But what happens > > when they do not? Clearly the echo(42); is not executed, > > and it is not printed by print(). Even more interesting is > > if you put something like echo(\"42 in $a, then you get a > > bunch of errors including: > > Fatal error - Failed evaluating code: > > print( 52); echo(\"42 ); > > > > It seems like preg_replace() is doing some strange things, > > and might be something that could be exploitable if a > > remote user can supply the first argument, and the second > > argument does not enclose \\n options. > > > > -James > > > -- PHP Documentation Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php