I was thinking about a new injection vector for PHP. It exploits the possibility of arrays in GET/POST parameters. I want to show it with a XSS example. Imagine the following code in a PHP script (e.g. index.php):

<?php
//if $_GET['id'] is an array this means (string)$_GET['id'] is "Array"
//and obviously there is no "<" in "Array"...
//strpos returns false if '<' is not in $_GET['id']
if(strpos($_GET['id'],"<") === false)
   someLibraryEchoBack($_GET['id']);
else
   echo "< is not allowed";

function someLibraryEchoBack($value){
   if(is_array($value)){
      foreach($value as $key => $string)
         echo $string;
   }
   else
      echo $value;
}
?>

The script would have the following output:

Anyone ever heard of this? At least you get some funny PHP errors for some web applications…

Update: Of course there are already exploits with this kind of attack.

A colleague of mine found a URL in a typo3 homepage that looked pretty strange (HTML tags in GET parameters). After searching through the web we found out that a MD5 sum is calculated over these parameter values. Each time you send this GET request, you have to send the correct MD5 sum. The problem is that an encryptionKey is used as a salt!

This feature is described on line 156 to 164 in this typo3 source file. After searching a while I found a page that already offers a tool (that is unfortunately not downloadable anymore) to crack typo3’s encryptionKey. Because the script only supports dictionary files and searching for default encryption keys, I wrote my own script to brute force the key. I really wonder if the encryption key is strong enough. My server has nothing to do anyway (this is a offline attack!) so the script is running there…

EDIT: I read the whole encryption key thing again and I think my brute force approach is maybe not the best thing. But on the other side I tested Chris John Riley’s script and it worked quite well ;).