deep inside | security & tools - PHP, variable variables, oh my! - Comments

PHP, variable variables, oh my! - Romain

Romain — Thu, 22 Sep 2011 18:54:57 -0400

To me, the main problem is not the ability to write arrays in a var vars. The PHP docs claim that super globals cannot be overwritten (which is eventually true), but we see that we can temporarily modify them.

The problem is mostly about the access to the super globals through var vars. I'll file a bug report soon.

Thanks.

PHP, variable variables, oh my! - Toya Kyte

Toya Kyte — Thu, 22 Sep 2011 17:04:31 -0400

Correction: you set the session var to 0, overwriting it in the session (if set), so it doesn't persist. I wasn't careful. But arrays shouldn't work in var vars, so I believe a bug should be filed so we can see what comes out of it.

Thanks.

PHP, variable variables, oh my! - Toya Kyte

Toya Kyte — Thu, 22 Sep 2011 09:54:04 -0400

Hi, Romain.

You know what, wow.

You're right. This has to be a bug. Writing to the SESSION should persist, or not work at all. Can you please file this code example with the details on bugs.php.net?

Then please give us here the bug ID (or link) so we can vote it up.

PHP, variable variables, oh my! - MaXe

MaXe — Wed, 21 Sep 2011 16:01:26 -0400

Thanks Romain, your reply was very useful as I needed a proper code example to fully understand how this applies.

PHP, variable variables, oh my! - Romain

Romain — Wed, 21 Sep 2011 11:45:12 -0400

@Tokya Kite, @Trikisatan,
Interesting, I just read this part actually that it was not supposed to overwrite the session. However, my quick testing shows this is actually possible to change the values inside the session, those do not get persisted though. That means that the changes are only available for the remaining of the script.

Here is the script (rw.php) I use:

<?php
session_start();
$_SESSION['admin'] = 0;
print "Before: Admin? - " . $_SESSION['admin'] . '<br />';
while(list($name, $value) = each($_GET)) {
$$name = $value;
}
print "After: Admin? - " . $_SESSION['admin'] . '<br />';
?>

When you use something like:
http://example.com/rw.php?_SESSION[admin]=1

The trace will show:
Before: Admin? - 0
After: Admin? - 1

However, the value isadmin=1 is not persisted in the session itself. It's only dynamically set during the context of the running script.

PHP, variable variables, oh my! - briedis

briedis — Wed, 21 Sep 2011 10:33:11 -0400

If approching as a black box - not so vulnerable... But still, variable variables never should have been born :)

PHP, variable variables, oh my! - Trikisatan

Trikisatan — Wed, 21 Sep 2011 10:25:44 -0400

So, you are saying that php.net is bullshitting?
http://php.net/manual/en/language.v...
More exactly:
Warning

Please note that variable variables cannot be used with PHP's Superglobal arrays within functions or class methods. The variable $this is also a special variable that cannot be referenced dynamically.

Superglobals:
http://www.php.net/manual/en/langua...

PHP, variable variables, oh my! - Haris

Haris — Wed, 21 Sep 2011 10:17:55 -0400

Once I encountered a similar bug on a PHP application. The way I exploited it though was different.

The location of the variable overwriting code was at the top of the file and only few variables could get overwritten. Among them was mysql_host and mysql_user/pass.

The rest of the code didn't have any authentication and all the other variables were properly initialized so one couldn't exploit an SQL injection or change the code flow to get admin access. I spend a couple days trying to figure out how to exploit this vulnerability...

I did an nmap and found that the server had the mysql server bound on 0.0.0.0 and without any host restrictions. So I overwrote the mysql_host variable and made it connect to my computer. On my computer I was running mysql proxy and had it setup to connect to the remote server.

Tada! I had complete MySQL access... without knowing the database credentials (the PHP client did the authentication for me). I wrote a few LUA scripts (this is what MySQL proxy uses) and was able to access the whole DB.

These vulnerabilities can be very tricky to exploit some times and are hard to detect with SAST. During a manual code review though one could do a grep for '$$' to find any dynamic variable assignments.

Overall great post and a great idea for some PHP challenges :)

PHP, variable variables, oh my! - PingPong

PingPong — Wed, 21 Sep 2011 10:13:20 -0400

Wouldn't exploiting the first example require very intimate knowledge of the executed code? First you'd need to know variable variables are being used, and then somehow you'd have to know to overwrite $declareSQLArray.

PHP, variable variables, oh my! - Toya Kyte

Toya Kyte — Wed, 21 Sep 2011 09:29:11 -0400

You're right the code example shows a vulnerability, but what you're not right about is that it's not immediately visible to anyone experienced with PHP. Additionally you're incorrect about PHP interpreting arrays in variable variables as in your $_SESSION example. Try to make it work. You won't be able to.

Of course, you can always fail if you demand to, say $_SESSION[$_POST['something']] but that's blatantly obviously bad.

PHP, variable variables, oh my! - Will

Will — Tue, 20 Sep 2011 19:21:46 -0400

All that besides the quite ugly DOS. Egads - I've always hated PHP but this is off the charts nauseating.