Page 2 of 3

Re: flaw in php ?

Posted: Wed Mar 11, 2009 1:27 am
by josh
Serializing preserves types. I'd have to have an int to begin with to get an int back, and all inputs for PHP come as strings.

serialize(0)
: string = "i:0;"
serialize('0')
: string = "s:1:\"0\";"


Maybe you could post a proof of concept.

Re: flaw in php ?

Posted: Wed Mar 11, 2009 9:16 am
by kaisellgren
tasairis wrote:You think the most popular way to convert a string into a number is with serialization?

Who, exactly, have you been talking to?
I can see you did not understand the point. What do you mean who have I been talking to?
josh wrote:Maybe you could post a proof of concept.
Sure.

Code: Select all

$_COOKIE['password'] = 'i:0;';
if (unserialize($_COOKIE['password']) == 'admin')
 echo 'logged in!';
else
 echo 'Not logged in!';
A similar code was in phpBB earlier.

Re: flaw in php ?

Posted: Wed Mar 11, 2009 11:30 pm
by josh
Eh most people I know serialize into the session, youre right trusting cookies would be insecure, but you wouldn't serialize data into a form hidden POST field either, user input is user input

Re: flaw in php ?

Posted: Thu Mar 12, 2009 7:43 am
by php_east
astions wrote:That's funny. I can't imagine how many unknown bugs are in PHP applications because of this. And not only that, but it's a security issue as well. Nice...
tons of codes out there, millions of lines to check. will PHP do something u think ?

Re: flaw in php ?

Posted: Thu Mar 12, 2009 8:08 am
by Mark Baker
php_east wrote:
astions wrote:That's funny. I can't imagine how many unknown bugs are in PHP applications because of this. And not only that, but it's a security issue as well. Nice...
tons of codes out there, millions of lines to check. will PHP do something u think ?
Ironic.... after arguing that the original problem was expected behaviour and not a bug, I just got stung by loose typecasting myself:

Code: Select all

 
$testVar = 0;
$testArray = array('Zero','One','Two','Three');
if (in_array($testVar,$testArray)) {
   echo 'Case 1';
} elseif (is_numeric($testVar)) {
   echo 'Case 2';
} else {
   echo 'Case 3';
}
 
Thank goodness the in_array function supports an optional third parameter to enable strict type checking

Re: flaw in php ?

Posted: Thu Mar 12, 2009 9:40 am
by kaisellgren
josh wrote:Eh most people I know serialize into the session, youre right trusting cookies would be insecure, but you wouldn't serialize data into a form hidden POST field either, user input is user input
Yup. My point was that some people do not trust the cookies and think that checking for the data content is enough. Certainly it is not. You have to check the data type, too, or sanitize the data into a certain data type.

Btw, trusting the session variables is also prohibited :wink:

@Mark: Yes that is quite predictable. I like to use (string) in that kind of situations, like:

Code: Select all

$testVar = 0;
 $testArray = array('Zero','One','Two','Three');
 if (in_array((string)$testVar,$testArray)) {
    echo 'Case 1';
 } elseif (is_numeric($testVar)) {
    echo 'Case 2';
 } else {
    echo 'Case 3';
 }
Returns "Case 2".

Re: flaw in php ?

Posted: Thu Mar 12, 2009 11:13 am
by josh
kaisellgren wrote:Btw, trusting the session variables is also prohibited :wink:
You sure do make some crazy claims without elaborating :D

Re: flaw in php ?

Posted: Thu Mar 12, 2009 11:28 am
by kaisellgren
josh wrote:
kaisellgren wrote:Btw, trusting the session variables is also prohibited :wink:
You sure do make some crazy claims without elaborating :D
Maybe, but I do know what I am talking about. My book offers plenty of information about all this. Once it is finished, I will let you know about it if you want. :)

Re: flaw in php ?

Posted: Thu Mar 12, 2009 11:32 am
by josh
Umm so you found a way that a user can inject data into the tmp files used to store the serialized session data but we have to wait until your book comes out before you'll tell the world?

Re: flaw in php ?

Posted: Thu Mar 12, 2009 12:13 pm
by kaisellgren
josh wrote:Umm so you found a way that a user can inject data into the tmp files used to store the serialized session data but we have to wait until your book comes out before you'll tell the world?
:lol:

Forget serialization, doesn't matter do you use it or not. I am not just talking about Session Storage attacks and it is not simple to demonstrate. It will be covered on my book, I have no time to write everything on forums. This is just a tiny area in security after all.

Re: flaw in php ?

Posted: Thu Mar 12, 2009 12:31 pm
by php_east
Mark Baker wrote: Thank goodness the in_array function supports an optional third parameter to enable strict type checking
i think you spoke too soon..., again. :wink:

Code: Select all

$test = array(0,'0',-1,'-1','a string','One','Three');
foreach($test as $key=>$val) 
{ 
echo 'value ('.$val.') is type '.gettype($val).' and passes as  => ';
test($val);
echo '<br />';
}
 
 
function test($testVar)
{
$testArray = array('Zero','One','Two','Three');
 
    if (in_array($testVar,$testArray,true)) 
    {
       echo 'Case 1';
    } elseif (is_numeric($testVar)) {
       echo 'Case 2';
    } else {
       echo 'Case 3';
    }
 
}
 
results for STRICT

Code: Select all

value (0) is type integer and passes as => Case 2
value (0) is type string and passes as => Case 2
value (-1) is type integer and passes as => Case 2
value (-1) is type string and passes as => Case 2
value (a string) is type string and passes as => Case 3
value (One) is type string and passes as => Case 1
value (Three) is type string and passes as => Case 1

Code: Select all

$test = array(0,'0',-1,'-1',999,'999','a string','One','Three');
foreach($test as $key=>$val) 
{ 
echo 'value ('.$val.') is type '.gettype($val).' and passes as  => ';
test($val);
echo '<br />';
}
 
 
function test($testVar)
{
$testArray = array('Zero','One','Two','Three');
 
    if (in_array($testVar,$testArray,false)) 
    {
       echo 'Case 1';
    } elseif (is_numeric($testVar)) {
       echo 'Case 2';
    } else {
       echo 'Case 3';
    }
 
}
 
results for NON STRICT

Code: Select all

value (0) is type integer and passes as => Case 1
value (0) is type string and passes as => Case 2
value (-1) is type integer and passes as => Case 2
value (-1) is type string and passes as => Case 2
value (999) is type integer and passes as => Case 2
value (999) is type string and passes as => Case 2
value (a string) is type string and passes as => Case 3
value (One) is type string and passes as => Case 1
value (Three) is type string and passes as => Case 1

Re: flaw in php ?

Posted: Thu Mar 12, 2009 1:01 pm
by Mark Baker
php_east wrote:
Mark Baker wrote: Thank goodness the in_array function supports an optional third parameter to enable strict type checking
i think you spoke too soon..., again. :wink:
It's giving me what I need for the specifics that I'm looking at, as demonstrated by your first set of test data with $strict = True. My issue was numeric 0 evaluating to Case 1 when it should be case 2.

And it's going to need some really heavy duty testing before I'm satisfied, but so far it's looking good. It's a tight loop that needs to be efficient for performance reasons, so I don't want to bloat the code too much.

Re: flaw in php ?

Posted: Thu Mar 12, 2009 1:08 pm
by php_east
good for you then, my nightmare unfortunately isn't quite over with this zero thing.

Re: flaw in php ?

Posted: Thu Mar 12, 2009 1:19 pm
by kaisellgren
php_east wrote:good for you then, my nightmare unfortunately isn't quite over with this zero thing.
What do you mean? With STRICT it does exactly what you want it to? Both 0 and '0' should match Case 2 in STRICT.

Re: flaw in php ?

Posted: Thu Mar 12, 2009 1:22 pm
by php_east
kaisellgren wrote:
php_east wrote:good for you then, my nightmare unfortunately isn't quite over with this zero thing.
What do you mean? With STRICT it does exactly what you want it to? Both 0 and '0' should match Case 2 in STRICT.
eh ? and what do *you* mean ? read my line again, slowly. i think you misunderstood me. :banghead:
or maybe you are referring to what Mark said.