I was thinking about a new injection vector for PHP. It exploits the possibility of arrays in GET\/POST parameters. I want to show it with a XSS example. Imagine the following code in a PHP script (e.g. index.php):<\/p>\n
\r\n<?php\r\n\/\/if $_GET['id'] is an array this means (string)$_GET['id'] is "Array"\r\n\/\/and obviously there is no "<" in "Array"...\r\n\/\/strpos returns false if '<' is not in $_GET['id']\r\nif(strpos($_GET['id'],"<") === false)\r\n someLibraryEchoBack($_GET['id']);\r\nelse\r\n echo "< is not allowed";\r\n\r\nfunction someLibraryEchoBack($value){\r\n if(is_array($value)){\r\n foreach($value as $key => $string)\r\n echo $string;\r\n }\r\n else\r\n echo $value;\r\n}\r\n?>\r\n<\/pre>\nThe script would have the following output:<\/p>\n
URI<\/strong><\/td>\n| HTML Response<\/strong><\/td>\n<\/tr>\n | \/index.php?id=<h2>A<<\/td>\n | < is not allowed<\/td>\n<\/tr>\n | \/index.php?id[]=<h2>A<<\/td>\n | <h2>A<\/h2><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n | Anyone ever heard of this? At least you get some funny PHP errors for some web applications…<\/p>\n Update: Of course there are already exploits<\/a> with this kind of attack.<\/p>\n","protected":false},"excerpt":{"rendered":" I was thinking about a new injection vector for PHP. It exploits the possibility of arrays in GET\/POST parameters. I want to show it with a XSS example. Imagine the following code in a PHP script (e.g. index.php): <?php \/\/if … Continue reading |