PHP Security: extract() & MySQL Injection

Where we keep all the boring tidbits about the PHPDN site, the news, and what not.

Moderator: General Moderators

Post Reply
User avatar
patrikG
DevNet Master
Posts: 4235
Joined: Thu Aug 15, 2002 5:53 am
Location: Sussex, UK

PHP Security: extract() & MySQL Injection

Post by patrikG »

PHP Security Blog wrote:Tobias Schlitt gave me a link to the article 10 Tips That Every PHP Developer Should Know, Part 2 by Jeffery Vaska that recently appeared on phpbuilder.com. I was kinda shocked when I saw Tip #5, that describes howto deal with $_GET and $_POST. It mentions that a developer can use extract($_POST) to eliminate the need of assigning every single entry manually. It also mentions:

This is a matter of
convenience and is not always a best practice.

It completely fails to mention, that using extract() without using prefixes or the parameter EXTR_SKIP is usually a very big security hole, because it allows an external attacker to overwrite every variable, including the superglobals (unless you use the Hardening-Patch) and this can lead in many cases to SQL injection or even Remote Code Execution Vulnerabilities.


Gulftech has recently released an advisory for Squirrelmail, that describes exactly such an extract($_POST) flaw.
source: http://blog.php-security.org/archives/5 ... -Know.html
User avatar
anjanesh
DevNet Resident
Posts: 1679
Joined: Sat Dec 06, 2003 9:52 pm
Location: Mumbai, India

Post by anjanesh »

If extract was replaced by parse_str then wouldnt the same security issue arise ?
User avatar
patrikG
DevNet Master
Posts: 4235
Joined: Thu Aug 15, 2002 5:53 am
Location: Sussex, UK

Post by patrikG »

Yup. The issue is really that unchecked/unverified user-input is assigned to PHP variables. extract(), however, is, from my experience, more commonly used than parse_str().
theda
Forum Contributor
Posts: 332
Joined: Sat Feb 19, 2005 8:35 am
Location: USA

Post by theda »

So basically... Don't use them ?
User avatar
patrikG
DevNet Master
Posts: 4235
Joined: Thu Aug 15, 2002 5:53 am
Location: Sussex, UK

Post by patrikG »

For superglobals (e.g. $_POST, $_GET, $_REQUEST etc.) it's a gaping security hole waiting to be exploited. Don't use extract/parse_str on them as these functions blindly assign unchecked values.
theda
Forum Contributor
Posts: 332
Joined: Sat Feb 19, 2005 8:35 am
Location: USA

Post by theda »

Well, from what I've heard, Superglobals have always been a security hole since inception...
User avatar
patrikG
DevNet Master
Posts: 4235
Joined: Thu Aug 15, 2002 5:53 am
Location: Sussex, UK

Post by patrikG »

nope.
theda
Forum Contributor
Posts: 332
Joined: Sat Feb 19, 2005 8:35 am
Location: USA

Post by theda »

Well, not on their own, I mean, but they've been the center of a lot of wholes relating to other functions that use them. I believe PHP.net's website mentioned to turn off Superglobals at one time, and even had them turned off as default in their installs (before Php5 of course... This is all Php4). I've been playing with PHP since PHP3... Yet I still haven't given PHP enough time to learn it X_x.
User avatar
patrikG
DevNet Master
Posts: 4235
Joined: Thu Aug 15, 2002 5:53 am
Location: Sussex, UK

Post by patrikG »

you're confusing globals and superglobals. See http://uk.php.net/register_globals
theda
Forum Contributor
Posts: 332
Joined: Sat Feb 19, 2005 8:35 am
Location: USA

Post by theda »

Ah yes, one of the two. I tend to confuse the two, and probably will continue to. Such distinctions don't reside in my mind for long...
Post Reply