[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] PHP filter_var vulnerability
- To: fulldisclosure@xxxxxxxxxxxx
- Subject: [FD] PHP filter_var vulnerability
- From: Jordy Zomer <jordy@pwning.systems>
- Date: Sat, 26 Mar 2022 09:19:33 +0100
Hello!
When the filter_var function is used in conjunction with the flags
FILTER_VALIDATE_DOMAIN and FILTER_FLAG_HOSTNAME, there is a vulnerability in
PHP that allows the filter to be bypassed. This vulnerability could be used to
introduce vulnerabilities into code that would otherwise be safe to use.
Due to the lack of response from the PHP security team, I have decided to make
this vulnerability publicly available instead. Especially because I haven't
received any updates despite numerous requests. Because of the ease with which
the vulnerability can be exploited, I believe that the community has a right to
be informed about it.
Please see my write-up on
https://pwning.systems/posts/php_filter_var_shenanigans/ for more information
on how to exploit this vulnerability.
Because the PHP security team has not yet patched this issue, I have attached
my own one-liner patch that you can apply with the command 'git am $patchfile’.
PATCH:
```
From 9c064e66226c9da5b9c0170342ba516055a31be5 Mon Sep 17 00:00:00 2001
From: Jordy Zomer <jordy@pwning.systems>
Date: Fri, 25 Mar 2022 18:03:34 +0100
Subject: [PATCH] Fix integer conversion that results in filter bypass.
Signed-off-by: Jordy Zomer <jordy@pwning.systems>
---
ext/filter/logical_filters.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ext/filter/logical_filters.c b/ext/filter/logical_filters.c
index 91bf929a9d..96a6c72b56 100644
--- a/ext/filter/logical_filters.c
+++ b/ext/filter/logical_filters.c
@@ -504,7 +504,7 @@ void
php_filter_validate_regexp(PHP_INPUT_FILTER_PARAM_DECL) /* {{{ */
}
}
-static int _php_filter_validate_domain(char * domain, int len, zend_long
flags) /* {{{ */
+static int _php_filter_validate_domain(char * domain, size_t len, zend_long
flags) /* {{{ */
{
char *e, *s, *t;
size_t l;
--
2.32.0
```
Cheers,
Jordy Zomer (@pwningsystems)
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/