lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sat, 26 Mar 2022 09:19:33 +0100
From: Jordy Zomer <jordy@...ing.systems>
To: fulldisclosure@...lists.org
Subject: [FD] PHP filter_var vulnerability

Hello! 

When the filter_var function is used in conjunction with the flags FILTER_VALIDATE_DOMAIN and FILTER_FLAG_HOSTNAME, there is a vulnerability in PHP that allows the filter to be bypassed. This vulnerability could be used to introduce vulnerabilities into code that would otherwise be safe to use. 

Due to the lack of response from the PHP security team, I have decided to make this vulnerability publicly available instead. Especially because I haven't received any updates despite numerous requests. Because of the ease with which the vulnerability can be exploited, I believe that the community has a right to be informed about it. 

Please see my write-up on https://pwning.systems/posts/php_filter_var_shenanigans/ for more information on how to exploit this vulnerability. 

Because the PHP security team has not yet patched this issue, I have attached my own one-liner patch that you can apply with the command 'git am $patchfile’. 

PATCH:
```
From 9c064e66226c9da5b9c0170342ba516055a31be5 Mon Sep 17 00:00:00 2001
From: Jordy Zomer <jordy@...ing.systems>
Date: Fri, 25 Mar 2022 18:03:34 +0100
Subject: [PATCH] Fix integer conversion that results in filter bypass.

Signed-off-by: Jordy Zomer <jordy@...ing.systems>
---
 ext/filter/logical_filters.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ext/filter/logical_filters.c b/ext/filter/logical_filters.c
index 91bf929a9d..96a6c72b56 100644
--- a/ext/filter/logical_filters.c
+++ b/ext/filter/logical_filters.c
@@ -504,7 +504,7 @@ void php_filter_validate_regexp(PHP_INPUT_FILTER_PARAM_DECL) /* {{{ */
        }
 }

-static int _php_filter_validate_domain(char * domain, int len, zend_long flags) /* {{{ */
+static int _php_filter_validate_domain(char * domain, size_t len, zend_long flags) /* {{{ */
 {
        char *e, *s, *t;
        size_t l;
--
2.32.0
```

Cheers, 

Jordy Zomer (@pwningsystems)

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ