Php dynamic function Injection Vulnerability

The following describes the application of PHP, which is becoming increasingly serious in the profile. allows you to execute any method or function or read/write any domestic variable. it seems that only a small number of researchers are looking for these issues, including StefanEsser, mongogod, and Gulftech. however, this may be due to many serious application problems, especially large or complex ones. additionally, these researchers can trigger errors, but the brand they make full use of XSS if not diagnosed. seeing this uniqueness is not PHP. other understandable languages have similar problems.
For example, Perl has the Xeval function. recently MySpaceXSS eval injection problem Java [1], has been injected eval some daily application reports (CVE-2005-2483, CVE-2005-3302), Perl (CVE-2002-1750, CVE-2003-0770, CVE-2005-1527, CVE-2005-2837 ).

------------------------------------------------------
Dynamic Evaluation Vulnerabilities in PHP applications
------------------------------------------------------

The following describes the application of PHP, which is becoming increasingly serious in the profile. allows you to execute any method or function or read/write any domestic variable. it seems that only a small number of researchers are looking for these issues, including StefanEsser, mongogod, and Gulftech. however, this may be due to many serious application problems, especially large or complex ones. additionally, these researchers can trigger errors, but the brand they make full use of XSS if not diagnosed. seeing this uniqueness is not PHP. other understandable languages have similar problems.
For example, Perl has the Xeval function. recently MySpaceXSS eval injection problem Java [1], has been injected eval some daily application reports (CVE-2005-2483, CVE-2005-3302), Perl (CVE-2002-1750, CVE-2003-0770, CVE-2005-1527, CVE-2005-2837 ).

--------------
Eval Injection
--------------
Term Note: This term is not the same, but it is used in CVE. This text has no common options.

An eval injection vulnerability occurs when an attacker may control all or part of the phone number in the input string that is instilled in eval. Eval uses execution arguments as code. Security means that this is obvious. This problem is known for several years [2], but it is still under research.

Example:

$ Myvar = "varname ";
$ X = $ _ GET [arg];
Eval ("$ myvar = $ x ;");

What happens if arg is set to "10; system ("/bin/echo uh-oh ");"?

Basic detection:

Original code: because this is a standard PHP function, it is easy to call eval () on grep potentially dangerous (). However, researchers must further investigate whether the input may be controlled by attackers.

-No original code: if an error can be exploited, an invalid input may trigger an error message related to the analysis error. Input Using "phpinfo" may be useful. However, you may have to play an input matching syntax to require the declaration to be finally instilled in eval, As you sometimes need to do in XSS or SQL injection.

Eliminate problems:

-Avoid eval () whenever possible

-Use the unique acceptable value whitelists to insert the phone number into eval. Whitelist may need to be changed according to the program you are.

---------------------------
Dynamic Variable Evaluation
---------------------------

Term Note: There is no common term for this issue.

PHP supports "variable, variable," which is a variable or indicates the name of the variable evaluated for another variable [3. They may be used to dynamically change the implementation of a program during which the variable is obtained or set. This strong and convenient feature is dangerous.

If the variable name is not controlled, attackers can read or write to any mutable object based on the application. The consequence depends on the program. In some cases, even important variables such as $ _ globals may be modified [4].

Example:

$ Varname = "myvar ";
$ Varname = 10;
Echo $ myvar;

This will set $ myvar, and print the string "10 "!

It seems likely that this issue will occur more frequently as PHP
Developers modify their programs so that they do not require
Register_globals.

A number of applications have code such as the following:

$ Safevar = "0 ";
$ Param1 = "";
$ Param2 = "";
$ Param3 = "";
# My own "register globals" for param [1, 2, 3]
Foreach ($ _ GET as $ key => $ value ){
$ Key = $ value;
}

If the attacker provides "safevar = bad" in the query string, then
$ Safevar will be set to the value "bad ".

Detection Examples:

$ Varname

$ {$ Varname}

$ {$ Var. $ name}

$ {Arbitrary expression}

Eliminating the problem:

-Use only whitelists of acceptable variable names. The whitelist
Might need to change depending on where in the program you are.

---------------------------
Dynamic Function Evaluation
---------------------------

Terminology note: there is no common term for this kind of issue.

Variable variables can also be used to dynamically reference
Functions:

$ Funcname = "myfunction ";

$ Funcname ("Arg1", "Arg2 ");

This variable tively CILS myfunction ("Arg1", "Arg2 ")!

Detection Examples:

$ Fname ();

$ {$ Var1. $ var2} ("arg ");

$ {"Varname "}();

Eliminating the problem:

-Use only whitelists of acceptable function names. The whitelist
Might need to change depending on where in the program you are.

----------
References
----------

[1] Myspace.com-Intricate Script Injection
Justin Lavoie
Http://marc.theaimsgroup.com /? L = bugtraq & m = 114469411219299 & w = 2

[2] A Study In Scarlet: Exploiting Common Vulnerabilities in PHP Applications
Shaun Clowes
Http://www.securereality.com.au/studyinscarlet.txt

This classic paper briefly mentioned the risk of eval

[3] PHP: Variable variables
Http://us3.php.net/manual/en/language.variables.variable.php

[4] $ GLOBALS Overwrite and its Consequences
Stefan Esser
Http://www.hardened-php.net/globals-problem

This paper talks specifically about dynamic variable evaluation
And the impact on superglobals such as $ _ GLOBALS. Esser was one
Of the first (if not the first) researchers to use the term "eval
Injection ".

-------------------------
Sample Vulnerable Program
-------------------------

 

Dynamic Evaluation Vulnerabilities in PHP Applications-Examples

 
Dynamic variable evaluation (a "variable ")
? Varname = myvar
 

Dynamic function evaluation
? Myfunc = phpinfo
 

Eval injection
? Ev = do_this ();
 

 

// Error_reporting (8 );
// Ini_set (display_errors, 1 );
// Ini_set (display_startup_errors, 1 );

Function do_this () {echo "Do this!
";}

$ Test = $ _ GET [test];
If ($ test = 1)
{
Echo "= Implicit variable evaluation in $ myvar =
";
Echo "Parameter varname =". $ _ GET [varname]."
";
$ Myvar = "unchangeable value ";
Echo "before: $ myvar =" ". $ myvar .""
";
$ Varname = $ _ GET [varname];
Echo "EXECUTE: $ varname =" new value ";
";
$ Varname = "new value ";
Echo "after: $ myvar =" ". $ myvar .""
";
}
Elseif ($ test = 2)
{
Echo "=== Implicit function evaluation in $ myfunc ====
";
$ Myfunc = $ _ GET [myfunc];
Echo "EXECUTE: $ myfunc ();
";
$ {"Myfunc "}();
$ Myfunc ();
}
Elseif ($ test = 3)
{
Echo "= Eval Injection in $ ev =
";
$ Ev = $ _ GET [ev];
Echo "EXECUTE: eval ($ ev );
";
Echo "actual statement will be: eval ($ ev)

";
Eval ($ ev );
}
?>