New Injection Vector for PHP

I was thinking about a new injection vector for PHP. It exploits the possibility of arrays in GET/POST parameters. I want to show it with a XSS example. Imagine the following code in a PHP script (e.g. index.php):

<?php
//if $_GET['id'] is an array this means (string)$_GET['id'] is "Array"
//and obviously there is no "<" in "Array"...
//strpos returns false if '<' is not in $_GET['id']
if(strpos($_GET['id'],"<") === false)
   someLibraryEchoBack($_GET['id']);
else
   echo "< is not allowed";

function someLibraryEchoBack($value){
   if(is_array($value)){
      foreach($value as $key => $string)
         echo $string;
   }
   else
      echo $value;
}
?>

The script would have the following output:

URI HTML Response
/index.php?id=<h2>A< < is not allowed
/index.php?id[]=<h2>A< <h2>A</h2>

Anyone ever heard of this? At least you get some funny PHP errors for some web applications…

Update: Of course there are already exploits with this kind of attack.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.