#49712 [NEW]: create_function designed for unwanted obfuscation

[list2009 at lunch dot za dot net]

From:             list2009 at lunch dot za dot net
Operating system: any
PHP version:      5.2.11
PHP Bug Type:     Feature/Change Request
Bug description:  create_function designed for unwanted obfuscation

Description:
------------
Unlike eval(), create_function can be called by reference.  It provides
an excellent hook for php obfuscation that is difficult to detect in an
automated way.  

I would like to define a list of functions that can NOT be called by
reference, and this function is first in my list, closely followed by
the other functions in this snippet, system(), ob_flush(), etc.  

Obfuscated code is one thing - obfuscated code that looks innocent is
another.

Reproduce code:
---------------
---
>From manual page: function.create-function#Description
---
Note that this code does not contain a single string for a scanner.  Only
a php interpreter can determine that this is obfuscated code, and calls
str_rot13, base64_decode and runs the base64 encoded code.
<?php
$v="_"; $v.="rot"; $v.=14-1; $v="str$v";
$w=$v("onfr64_qrpbqr");
$x=$w('Y3JlYXRlX2Z1bmN0aW9u');
$y=$w('ZWNobyAiVSBSIHB3bmRcbiI7Cg==');
$z=$x('',$y);
$z();


Expected result:
----------------
Fatal error: Call to undefined function create_function()
or
Fatal error: function create_function cannot be called by reference.


Actual result:
--------------
U R pwnd

-- 
Edit bug report at http://bugs.php.net/?id=49712&edit=1
-- 
Try a snapshot (PHP 5.2):            
http://bugs.php.net/fix.php?id=49712&r=trysnapshot52
Try a snapshot (PHP 5.3):            
http://bugs.php.net/fix.php?id=49712&r=trysnapshot53
Try a snapshot (PHP 6.0):            
http://bugs.php.net/fix.php?id=49712&r=trysnapshot60
Fixed in SVN:                        
http://bugs.php.net/fix.php?id=49712&r=fixed
Fixed in SVN and need be documented: 
http://bugs.php.net/fix.php?id=49712&r=needdocs
Fixed in release:                    
http://bugs.php.net/fix.php?id=49712&r=alreadyfixed
Need backtrace:                      
http://bugs.php.net/fix.php?id=49712&r=needtrace
Need Reproduce Script:               
http://bugs.php.net/fix.php?id=49712&r=needscript
Try newer version:                   
http://bugs.php.net/fix.php?id=49712&r=oldversion
Not developer issue:                 
http://bugs.php.net/fix.php?id=49712&r=support
Expected behavior:                   
http://bugs.php.net/fix.php?id=49712&r=notwrong
Not enough info:                     
http://bugs.php.net/fix.php?id=49712&r=notenoughinfo
Submitted twice:                     
http://bugs.php.net/fix.php?id=49712&r=submittedtwice
register_globals:                    
http://bugs.php.net/fix.php?id=49712&r=globals
PHP 4 support discontinued:          http://bugs.php.net/fix.php?id=49712&r=php4
Daylight Savings:                    http://bugs.php.net/fix.php?id=49712&r=dst
IIS Stability:                       
http://bugs.php.net/fix.php?id=49712&r=isapi
Install GNU Sed:                     
http://bugs.php.net/fix.php?id=49712&r=gnused
Floating point limitations:          
http://bugs.php.net/fix.php?id=49712&r=float
No Zend Extensions:                  
http://bugs.php.net/fix.php?id=49712&r=nozend
MySQL Configuration Error:           
http://bugs.php.net/fix.php?id=49712&r=mysqlcfg