[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] PHP filter_var vulnerability
From: Jordy Zomer <jordy () pwning ! systems>
Date: 2022-03-26 8:19:33
Message-ID: D91D46F8-7936-4945-AEDA-B06272377FA8 () pwning ! systems
[Download RAW message or body]
Hello!
When the filter_var function is used in conjunction with the flags FILTER_VALIDATE_DOMAIN and \
FILTER_FLAG_HOSTNAME, there is a vulnerability in PHP that allows the filter to be bypassed. \
This vulnerability could be used to introduce vulnerabilities into code that would otherwise be \
safe to use.
Due to the lack of response from the PHP security team, I have decided to make this \
vulnerability publicly available instead. Especially because I haven't received any updates \
despite numerous requests. Because of the ease with which the vulnerability can be exploited, I \
believe that the community has a right to be informed about it.
Please see my write-up on https://pwning.systems/posts/php_filter_var_shenanigans/ for more \
information on how to exploit this vulnerability.
Because the PHP security team has not yet patched this issue, I have attached my own one-liner \
patch that you can apply with the command 'git am $patchfile'.
PATCH:
```
From 9c064e66226c9da5b9c0170342ba516055a31be5 Mon Sep 17 00:00:00 2001
From: Jordy Zomer <jordy@pwning.systems>
Date: Fri, 25 Mar 2022 18:03:34 +0100
Subject: [PATCH] Fix integer conversion that results in filter bypass.
Signed-off-by: Jordy Zomer <jordy@pwning.systems>
---
ext/filter/logical_filters.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ext/filter/logical_filters.c b/ext/filter/logical_filters.c
index 91bf929a9d..96a6c72b56 100644
--- a/ext/filter/logical_filters.c
+++ b/ext/filter/logical_filters.c
@@ -504,7 +504,7 @@ void php_filter_validate_regexp(PHP_INPUT_FILTER_PARAM_DECL) /* {{{ */
}
}
-static int _php_filter_validate_domain(char * domain, int len, zend_long flags) /* {{{ */
+static int _php_filter_validate_domain(char * domain, size_t len, zend_long flags) /* {{{ */
{
char *e, *s, *t;
size_t l;
--
2.32.0
```
Cheers,
Jordy Zomer (@pwningsystems)
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic