flaw in php ?
Moderator: General Moderators
Re: flaw in php ?
Serializing preserves types. I'd have to have an int to begin with to get an int back, and all inputs for PHP come as strings.
serialize(0)
: string = "i:0;"
serialize('0')
: string = "s:1:\"0\";"
Maybe you could post a proof of concept.
serialize(0)
: string = "i:0;"
serialize('0')
: string = "s:1:\"0\";"
Maybe you could post a proof of concept.
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: flaw in php ?
I can see you did not understand the point. What do you mean who have I been talking to?tasairis wrote:You think the most popular way to convert a string into a number is with serialization?
Who, exactly, have you been talking to?
Sure.josh wrote:Maybe you could post a proof of concept.
Code: Select all
$_COOKIE['password'] = 'i:0;';
if (unserialize($_COOKIE['password']) == 'admin')
echo 'logged in!';
else
echo 'Not logged in!';Re: flaw in php ?
Eh most people I know serialize into the session, youre right trusting cookies would be insecure, but you wouldn't serialize data into a form hidden POST field either, user input is user input
Re: flaw in php ?
tons of codes out there, millions of lines to check. will PHP do something u think ?astions wrote:That's funny. I can't imagine how many unknown bugs are in PHP applications because of this. And not only that, but it's a security issue as well. Nice...
-
Mark Baker
- Forum Regular
- Posts: 710
- Joined: Thu Oct 30, 2008 6:24 pm
Re: flaw in php ?
Ironic.... after arguing that the original problem was expected behaviour and not a bug, I just got stung by loose typecasting myself:php_east wrote:tons of codes out there, millions of lines to check. will PHP do something u think ?astions wrote:That's funny. I can't imagine how many unknown bugs are in PHP applications because of this. And not only that, but it's a security issue as well. Nice...
Code: Select all
$testVar = 0;
$testArray = array('Zero','One','Two','Three');
if (in_array($testVar,$testArray)) {
echo 'Case 1';
} elseif (is_numeric($testVar)) {
echo 'Case 2';
} else {
echo 'Case 3';
}
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: flaw in php ?
Yup. My point was that some people do not trust the cookies and think that checking for the data content is enough. Certainly it is not. You have to check the data type, too, or sanitize the data into a certain data type.josh wrote:Eh most people I know serialize into the session, youre right trusting cookies would be insecure, but you wouldn't serialize data into a form hidden POST field either, user input is user input
Btw, trusting the session variables is also prohibited
@Mark: Yes that is quite predictable. I like to use (string) in that kind of situations, like:
Code: Select all
$testVar = 0;
$testArray = array('Zero','One','Two','Three');
if (in_array((string)$testVar,$testArray)) {
echo 'Case 1';
} elseif (is_numeric($testVar)) {
echo 'Case 2';
} else {
echo 'Case 3';
}Re: flaw in php ?
You sure do make some crazy claims without elaboratingkaisellgren wrote:Btw, trusting the session variables is also prohibited
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: flaw in php ?
Maybe, but I do know what I am talking about. My book offers plenty of information about all this. Once it is finished, I will let you know about it if you want.josh wrote:You sure do make some crazy claims without elaboratingkaisellgren wrote:Btw, trusting the session variables is also prohibited
Re: flaw in php ?
Umm so you found a way that a user can inject data into the tmp files used to store the serialized session data but we have to wait until your book comes out before you'll tell the world?
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: flaw in php ?
josh wrote:Umm so you found a way that a user can inject data into the tmp files used to store the serialized session data but we have to wait until your book comes out before you'll tell the world?
Forget serialization, doesn't matter do you use it or not. I am not just talking about Session Storage attacks and it is not simple to demonstrate. It will be covered on my book, I have no time to write everything on forums. This is just a tiny area in security after all.
Re: flaw in php ?
i think you spoke too soon..., again.Mark Baker wrote: Thank goodness the in_array function supports an optional third parameter to enable strict type checking
Code: Select all
$test = array(0,'0',-1,'-1','a string','One','Three');
foreach($test as $key=>$val)
{
echo 'value ('.$val.') is type '.gettype($val).' and passes as => ';
test($val);
echo '<br />';
}
function test($testVar)
{
$testArray = array('Zero','One','Two','Three');
if (in_array($testVar,$testArray,true))
{
echo 'Case 1';
} elseif (is_numeric($testVar)) {
echo 'Case 2';
} else {
echo 'Case 3';
}
}
Code: Select all
value (0) is type integer and passes as => Case 2
value (0) is type string and passes as => Case 2
value (-1) is type integer and passes as => Case 2
value (-1) is type string and passes as => Case 2
value (a string) is type string and passes as => Case 3
value (One) is type string and passes as => Case 1
value (Three) is type string and passes as => Case 1Code: Select all
$test = array(0,'0',-1,'-1',999,'999','a string','One','Three');
foreach($test as $key=>$val)
{
echo 'value ('.$val.') is type '.gettype($val).' and passes as => ';
test($val);
echo '<br />';
}
function test($testVar)
{
$testArray = array('Zero','One','Two','Three');
if (in_array($testVar,$testArray,false))
{
echo 'Case 1';
} elseif (is_numeric($testVar)) {
echo 'Case 2';
} else {
echo 'Case 3';
}
}
Code: Select all
value (0) is type integer and passes as => Case 1
value (0) is type string and passes as => Case 2
value (-1) is type integer and passes as => Case 2
value (-1) is type string and passes as => Case 2
value (999) is type integer and passes as => Case 2
value (999) is type string and passes as => Case 2
value (a string) is type string and passes as => Case 3
value (One) is type string and passes as => Case 1
value (Three) is type string and passes as => Case 1-
Mark Baker
- Forum Regular
- Posts: 710
- Joined: Thu Oct 30, 2008 6:24 pm
Re: flaw in php ?
It's giving me what I need for the specifics that I'm looking at, as demonstrated by your first set of test data with $strict = True. My issue was numeric 0 evaluating to Case 1 when it should be case 2.php_east wrote:i think you spoke too soon..., again.Mark Baker wrote: Thank goodness the in_array function supports an optional third parameter to enable strict type checking![]()
And it's going to need some really heavy duty testing before I'm satisfied, but so far it's looking good. It's a tight loop that needs to be efficient for performance reasons, so I don't want to bloat the code too much.
Re: flaw in php ?
good for you then, my nightmare unfortunately isn't quite over with this zero thing.
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: flaw in php ?
What do you mean? With STRICT it does exactly what you want it to? Both 0 and '0' should match Case 2 in STRICT.php_east wrote:good for you then, my nightmare unfortunately isn't quite over with this zero thing.
Re: flaw in php ?
eh ? and what do *you* mean ? read my line again, slowly. i think you misunderstood me.kaisellgren wrote:What do you mean? With STRICT it does exactly what you want it to? Both 0 and '0' should match Case 2 in STRICT.php_east wrote:good for you then, my nightmare unfortunately isn't quite over with this zero thing.
or maybe you are referring to what Mark said.
Last edited by php_east on Thu Mar 12, 2009 1:31 pm, edited 2 times in total.