Edit report at http://bugs.php.net/bug.php?id=49712&edit=1
ID: 49712 Updated by: [email protected] Reported by: list2009 at lunch dot za dot net Summary: create_function designed for unwanted obfuscation -Status: Open +Status: Closed Type: Feature/Change Request -Package: Feature/Change Request +Package: *General Issues Operating System: any PHP Version: 5.2.11 -Assigned To: +Assigned To: jani Block user comment: N Private report: N New Comment: With 5.3.4: # php -d disable_functions=create_function t.php Warning: create_function() has been disabled for security reasons in /home/jani/t.php on line 6 Previous Comments: ------------------------------------------------------------------------ [2009-09-29 15:20:28] list2009 at lunch dot za dot net Description: ------------ Unlike eval(), create_function can be called by reference. It provides an excellent hook for php obfuscation that is difficult to detect in an automated way. I would like to define a list of functions that can NOT be called by reference, and this function is first in my list, closely followed by the other functions in this snippet, system(), ob_flush(), etc. Obfuscated code is one thing - obfuscated code that looks innocent is another. Reproduce code: --------------- --- >From manual page: function.create-function#Description --- Note that this code does not contain a single string for a scanner. Only a php interpreter can determine that this is obfuscated code, and calls str_rot13, base64_decode and runs the base64 encoded code. <?php $v="_"; $v.="rot"; $v.=14-1; $v="str$v"; $w=$v("onfr64_qrpbqr"); $x=$w('Y3JlYXRlX2Z1bmN0aW9u'); $y=$w('ZWNobyAiVSBSIHB3bmRcbiI7Cg=='); $z=$x('',$y); $z(); Expected result: ---------------- Fatal error: Call to undefined function create_function() or Fatal error: function create_function cannot be called by reference. Actual result: -------------- U R pwnd ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/bug.php?id=49712&edit=1
