Vigil@nce: PHP, code execution via mb_ereg_replace
May 2009 by LA REDACTION DE GS MAG
When the mb_ereg_replace() function is used on unfiltered data, an
attacker can execute PHP code.
Severity: 2/4
Consequences: user access/rights
Provenance: internet client
Means of attack: 1 proof of concept
Ability of attacker: specialist (3/4)
Confidence: unique source (2/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 13/05/2009
IMPACTED PRODUCTS
– PHP
DESCRIPTION OF THE VULNERABILITY
The mb_ereg_replace() function uses a regular expression to define
a pattern to replace in a Unicode string. The mb_eregi_replace()
function ignores the character case.
The ’e’ option indicates to execute to pattern instead of handling
it as a string. For example:
$str = ’A-b-C’;
mb_ereg_replace(’^A-(.*)-C$’, "strtoupper(’\1’)", $str, ’e’);
returns "A-B-C" (’b’ is uppercased).
However, the mb_ereg_replace() and mb_eregi_replace() functions do
not filter the ’\’ character in the replacing pattern. An attacker
can therefore use:
$str = ’\’), phpinfo(), strtoupper(\’’;
in order to execute:
strtoupper(’’), phpinfo(), strtoupper(’’)
which injects the phpinfo() function call.
When the mb_ereg_replace() function is used on unfiltered data, an
attacker can therefore execute PHP code.
CHARACTERISTICS
Identifiers: 48180, BID-34873, VIGILANCE-VUL-8711
http://vigilance.fr/vulnerability/PHP-code-execution-via-mb-ereg-replace-8711