flaw in php ?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Re: flaw in php ?

Post by josh »

Serializing preserves types. I'd have to have an int to begin with to get an int back, and all inputs for PHP come as strings.

serialize(0)
: string = "i:0;"
serialize('0')
: string = "s:1:\"0\";"


Maybe you could post a proof of concept.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: flaw in php ?

Post by kaisellgren »

tasairis wrote:You think the most popular way to convert a string into a number is with serialization?

Who, exactly, have you been talking to?
I can see you did not understand the point. What do you mean who have I been talking to?
josh wrote:Maybe you could post a proof of concept.
Sure.

Code: Select all

$_COOKIE['password'] = 'i:0;';
if (unserialize($_COOKIE['password']) == 'admin')
 echo 'logged in!';
else
 echo 'Not logged in!';
A similar code was in phpBB earlier.
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Re: flaw in php ?

Post by josh »

Eh most people I know serialize into the session, youre right trusting cookies would be insecure, but you wouldn't serialize data into a form hidden POST field either, user input is user input
User avatar
php_east
Forum Contributor
Posts: 453
Joined: Sun Feb 22, 2009 1:31 pm
Location: Far Far East.

Re: flaw in php ?

Post by php_east »

astions wrote:That's funny. I can't imagine how many unknown bugs are in PHP applications because of this. And not only that, but it's a security issue as well. Nice...
tons of codes out there, millions of lines to check. will PHP do something u think ?
Mark Baker
Forum Regular
Posts: 710
Joined: Thu Oct 30, 2008 6:24 pm

Re: flaw in php ?

Post by Mark Baker »

php_east wrote:
astions wrote:That's funny. I can't imagine how many unknown bugs are in PHP applications because of this. And not only that, but it's a security issue as well. Nice...
tons of codes out there, millions of lines to check. will PHP do something u think ?
Ironic.... after arguing that the original problem was expected behaviour and not a bug, I just got stung by loose typecasting myself:

Code: Select all

 
$testVar = 0;
$testArray = array('Zero','One','Two','Three');
if (in_array($testVar,$testArray)) {
   echo 'Case 1';
} elseif (is_numeric($testVar)) {
   echo 'Case 2';
} else {
   echo 'Case 3';
}
 
Thank goodness the in_array function supports an optional third parameter to enable strict type checking
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: flaw in php ?

Post by kaisellgren »

josh wrote:Eh most people I know serialize into the session, youre right trusting cookies would be insecure, but you wouldn't serialize data into a form hidden POST field either, user input is user input
Yup. My point was that some people do not trust the cookies and think that checking for the data content is enough. Certainly it is not. You have to check the data type, too, or sanitize the data into a certain data type.

Btw, trusting the session variables is also prohibited :wink:

@Mark: Yes that is quite predictable. I like to use (string) in that kind of situations, like:

Code: Select all

$testVar = 0;
 $testArray = array('Zero','One','Two','Three');
 if (in_array((string)$testVar,$testArray)) {
    echo 'Case 1';
 } elseif (is_numeric($testVar)) {
    echo 'Case 2';
 } else {
    echo 'Case 3';
 }
Returns "Case 2".
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Re: flaw in php ?

Post by josh »

kaisellgren wrote:Btw, trusting the session variables is also prohibited :wink:
You sure do make some crazy claims without elaborating :D
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: flaw in php ?

Post by kaisellgren »

josh wrote:
kaisellgren wrote:Btw, trusting the session variables is also prohibited :wink:
You sure do make some crazy claims without elaborating :D
Maybe, but I do know what I am talking about. My book offers plenty of information about all this. Once it is finished, I will let you know about it if you want. :)
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Re: flaw in php ?

Post by josh »

Umm so you found a way that a user can inject data into the tmp files used to store the serialized session data but we have to wait until your book comes out before you'll tell the world?
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: flaw in php ?

Post by kaisellgren »

josh wrote:Umm so you found a way that a user can inject data into the tmp files used to store the serialized session data but we have to wait until your book comes out before you'll tell the world?
:lol:

Forget serialization, doesn't matter do you use it or not. I am not just talking about Session Storage attacks and it is not simple to demonstrate. It will be covered on my book, I have no time to write everything on forums. This is just a tiny area in security after all.
User avatar
php_east
Forum Contributor
Posts: 453
Joined: Sun Feb 22, 2009 1:31 pm
Location: Far Far East.

Re: flaw in php ?

Post by php_east »

Mark Baker wrote: Thank goodness the in_array function supports an optional third parameter to enable strict type checking
i think you spoke too soon..., again. :wink:

Code: Select all

$test = array(0,'0',-1,'-1','a string','One','Three');
foreach($test as $key=>$val) 
{ 
echo 'value ('.$val.') is type '.gettype($val).' and passes as  => ';
test($val);
echo '<br />';
}
 
 
function test($testVar)
{
$testArray = array('Zero','One','Two','Three');
 
    if (in_array($testVar,$testArray,true)) 
    {
       echo 'Case 1';
    } elseif (is_numeric($testVar)) {
       echo 'Case 2';
    } else {
       echo 'Case 3';
    }
 
}
 
results for STRICT

Code: Select all

value (0) is type integer and passes as => Case 2
value (0) is type string and passes as => Case 2
value (-1) is type integer and passes as => Case 2
value (-1) is type string and passes as => Case 2
value (a string) is type string and passes as => Case 3
value (One) is type string and passes as => Case 1
value (Three) is type string and passes as => Case 1

Code: Select all

$test = array(0,'0',-1,'-1',999,'999','a string','One','Three');
foreach($test as $key=>$val) 
{ 
echo 'value ('.$val.') is type '.gettype($val).' and passes as  => ';
test($val);
echo '<br />';
}
 
 
function test($testVar)
{
$testArray = array('Zero','One','Two','Three');
 
    if (in_array($testVar,$testArray,false)) 
    {
       echo 'Case 1';
    } elseif (is_numeric($testVar)) {
       echo 'Case 2';
    } else {
       echo 'Case 3';
    }
 
}
 
results for NON STRICT

Code: Select all

value (0) is type integer and passes as => Case 1
value (0) is type string and passes as => Case 2
value (-1) is type integer and passes as => Case 2
value (-1) is type string and passes as => Case 2
value (999) is type integer and passes as => Case 2
value (999) is type string and passes as => Case 2
value (a string) is type string and passes as => Case 3
value (One) is type string and passes as => Case 1
value (Three) is type string and passes as => Case 1
Mark Baker
Forum Regular
Posts: 710
Joined: Thu Oct 30, 2008 6:24 pm

Re: flaw in php ?

Post by Mark Baker »

php_east wrote:
Mark Baker wrote: Thank goodness the in_array function supports an optional third parameter to enable strict type checking
i think you spoke too soon..., again. :wink:
It's giving me what I need for the specifics that I'm looking at, as demonstrated by your first set of test data with $strict = True. My issue was numeric 0 evaluating to Case 1 when it should be case 2.

And it's going to need some really heavy duty testing before I'm satisfied, but so far it's looking good. It's a tight loop that needs to be efficient for performance reasons, so I don't want to bloat the code too much.
User avatar
php_east
Forum Contributor
Posts: 453
Joined: Sun Feb 22, 2009 1:31 pm
Location: Far Far East.

Re: flaw in php ?

Post by php_east »

good for you then, my nightmare unfortunately isn't quite over with this zero thing.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: flaw in php ?

Post by kaisellgren »

php_east wrote:good for you then, my nightmare unfortunately isn't quite over with this zero thing.
What do you mean? With STRICT it does exactly what you want it to? Both 0 and '0' should match Case 2 in STRICT.
User avatar
php_east
Forum Contributor
Posts: 453
Joined: Sun Feb 22, 2009 1:31 pm
Location: Far Far East.

Re: flaw in php ?

Post by php_east »

kaisellgren wrote:
php_east wrote:good for you then, my nightmare unfortunately isn't quite over with this zero thing.
What do you mean? With STRICT it does exactly what you want it to? Both 0 and '0' should match Case 2 in STRICT.
eh ? and what do *you* mean ? read my line again, slowly. i think you misunderstood me. :banghead:
or maybe you are referring to what Mark said.
Last edited by php_east on Thu Mar 12, 2009 1:31 pm, edited 2 times in total.
Post Reply