[<prev] [next>] [day] [month] [year] [list]
Message-Id: <D91D46F8-7936-4945-AEDA-B06272377FA8@pwning.systems>
Date: Sat, 26 Mar 2022 09:19:33 +0100
From: Jordy Zomer <jordy@...ing.systems>
To: fulldisclosure@...lists.org
Subject: [FD] PHP filter_var vulnerability
Hello!
When the filter_var function is used in conjunction with the flags FILTER_VALIDATE_DOMAIN and FILTER_FLAG_HOSTNAME, there is a vulnerability in PHP that allows the filter to be bypassed. This vulnerability could be used to introduce vulnerabilities into code that would otherwise be safe to use.
Due to the lack of response from the PHP security team, I have decided to make this vulnerability publicly available instead. Especially because I haven't received any updates despite numerous requests. Because of the ease with which the vulnerability can be exploited, I believe that the community has a right to be informed about it.
Please see my write-up on https://pwning.systems/posts/php_filter_var_shenanigans/ for more information on how to exploit this vulnerability.
Because the PHP security team has not yet patched this issue, I have attached my own one-liner patch that you can apply with the command 'git am $patchfile’.
PATCH:
```
From 9c064e66226c9da5b9c0170342ba516055a31be5 Mon Sep 17 00:00:00 2001
From: Jordy Zomer <jordy@...ing.systems>
Date: Fri, 25 Mar 2022 18:03:34 +0100
Subject: [PATCH] Fix integer conversion that results in filter bypass.
Signed-off-by: Jordy Zomer <jordy@...ing.systems>
---
ext/filter/logical_filters.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ext/filter/logical_filters.c b/ext/filter/logical_filters.c
index 91bf929a9d..96a6c72b56 100644
--- a/ext/filter/logical_filters.c
+++ b/ext/filter/logical_filters.c
@@ -504,7 +504,7 @@ void php_filter_validate_regexp(PHP_INPUT_FILTER_PARAM_DECL) /* {{{ */
}
}
-static int _php_filter_validate_domain(char * domain, int len, zend_long flags) /* {{{ */
+static int _php_filter_validate_domain(char * domain, size_t len, zend_long flags) /* {{{ */
{
char *e, *s, *t;
size_t l;
--
2.32.0
```
Cheers,
Jordy Zomer (@pwningsystems)
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists