I was thinking about a new injection vector for PHP. It exploits the possibility of arrays in GET/POST parameters. I want to show it with a XSS example. Imagine the following code in a PHP script (e.g. index.php):
<?php //if $_GET['id'] is an array this means (string)$_GET['id'] is "Array" //and obviously there is no "<" in "Array"... //strpos returns false if '<' is not in $_GET['id'] if(strpos($_GET['id'],"<") === false) someLibraryEchoBack($_GET['id']); else echo "< is not allowed"; function someLibraryEchoBack($value){ if(is_array($value)){ foreach($value as $key => $string) echo $string; } else echo $value; } ?>
The script would have the following output:
URI | HTML Response |
/index.php?id=<h2>A< | < is not allowed |
/index.php?id[]=<h2>A< | <h2>A</h2> |
Anyone ever heard of this? At least you get some funny PHP errors for some web applications…
Update: Of course there are already exploits with this kind of attack.