#35960 [NEW]: preg_replace exploit using 'e' (executor)

Tue, 10 Jan 2006 03:15:10 -0800 

From:             djmaze at cpgnuke dot com
Operating system: Windows
PHP version:      5.1.1
PHP Bug Type:     *Regular Expressions
Bug description:  preg_replace exploit using 'e' (executor)

Description:
------------
When using preg_replace() with the 'e' modifier you can exploit variables
since the $ sign doesn't get backslashed.
Tested on several PHP versions both 4.x and 5.x

Reproduce code:
---------------
<?php
error_reporting(E_ALL);
$exploited = 'my password';
$exploit = '[php]$exploited[/php]';
function highlight_php($txt)
{
        return "<pre>$txt</pre>";
}
echo preg_replace('#\[PHP\](.*?)\[/PHP\]#sie', 'highlight_php("\\1")',
$exploit); # exploited

echo preg_replace('#\[PHP\](.*?)\[/PHP\]#sie', 'highlight_php(\'\\1\')',
$exploit); # no exploit
?>



Expected result:
----------------
<pre>$exploited</pre>

Actual result:
--------------
<pre>my password</pre>

-- 
Edit bug report at http://bugs.php.net/?id=35960&edit=1
-- 
Try a CVS snapshot (PHP 4.4): 
http://bugs.php.net/fix.php?id=35960&r=trysnapshot44
Try a CVS snapshot (PHP 5.1): 
http://bugs.php.net/fix.php?id=35960&r=trysnapshot51
Try a CVS snapshot (PHP 6.0): 
http://bugs.php.net/fix.php?id=35960&r=trysnapshot60
Fixed in CVS:                 http://bugs.php.net/fix.php?id=35960&r=fixedcvs
Fixed in release:             
http://bugs.php.net/fix.php?id=35960&r=alreadyfixed
Need backtrace:               http://bugs.php.net/fix.php?id=35960&r=needtrace
Need Reproduce Script:        http://bugs.php.net/fix.php?id=35960&r=needscript
Try newer version:            http://bugs.php.net/fix.php?id=35960&r=oldversion
Not developer issue:          http://bugs.php.net/fix.php?id=35960&r=support
Expected behavior:            http://bugs.php.net/fix.php?id=35960&r=notwrong
Not enough info:              
http://bugs.php.net/fix.php?id=35960&r=notenoughinfo
Submitted twice:              
http://bugs.php.net/fix.php?id=35960&r=submittedtwice
register_globals:             http://bugs.php.net/fix.php?id=35960&r=globals
PHP 3 support discontinued:   http://bugs.php.net/fix.php?id=35960&r=php3
Daylight Savings:             http://bugs.php.net/fix.php?id=35960&r=dst
IIS Stability:                http://bugs.php.net/fix.php?id=35960&r=isapi
Install GNU Sed:              http://bugs.php.net/fix.php?id=35960&r=gnused
Floating point limitations:   http://bugs.php.net/fix.php?id=35960&r=float
No Zend Extensions:           http://bugs.php.net/fix.php?id=35960&r=nozend
MySQL Configuration Error:    http://bugs.php.net/fix.php?id=35960&r=mysqlcfg

Reply via email to