I was thinking about a new injection vector for PHP. It exploits the possibility of arrays in GET/POST parameters. I want to show it with a XSS example. Imagine the following code in a PHP script (e.g. index.php):
<?php
//if $_GET['id'] is an array this means (string)$_GET['id'] is "Array"
//and obviously there is no "<" in "Array"...
//strpos returns false if '<' is not in $_GET['id']
if(strpos($_GET['id'],"<") === false)
someLibraryEchoBack($_GET['id']);
else
echo "< is not allowed";
function someLibraryEchoBack($value){
if(is_array($value)){
foreach($value as $key => $string)
echo $string;
}
else
echo $value;
}
?>
The script would have the following output:
| URI | HTML Response |
| /index.php?id=<h2>A< | < is not allowed |
| /index.php?id[]=<h2>A< | <h2>A</h2> |
Anyone ever heard of this? At least you get some funny PHP errors for some web applications…
Update: Of course there are already exploits with this kind of attack.