Edit report at http://bugs.php.net/bug.php?id=49712&edit=1
ID: 49712 Updated by: [email protected] Reported by: list2009 at lunch dot za dot net Summary: create_function designed for unwanted obfuscation Status: Closed Type: Feature/Change Request Package: *General Issues Operating System: any PHP Version: 5.2.11 Assigned To: jani Block user comment: N Private report: N New Comment: Then you need to look at Suhosin which provides such things like disabling the 'e' modifier for preg_replace(): http://www.hardened-php.net/index.html Previous Comments: ------------------------------------------------------------------------ [2010-12-15 07:01:01] list2009 at lunch dot za dot net disable_functions simply disables a function. This is not what I need: I needed to disable calling the function by reference, ie: $moo="create_function"; $moo(); but not simple create_function(). preg_replace can be used instead of eval and create_function, but preg_replace cannot be disabled in most production environments. With calling by reference, and it provides a ready path to obfuscated php injection - with code that looks like a mathematical calculation. If I'm wasting my time here, maybe I should rather write the ultimate php obfuscater with some watermark, and see how long it goes before I detect that watermark in code hiding c99shell shell or V64.worm.php.2011 on my own systems... ------------------------------------------------------------------------ [2010-12-14 17:28:54] [email protected] With 5.3.4: # php -d disable_functions=create_function t.php Warning: create_function() has been disabled for security reasons in /home/jani/t.php on line 6 ------------------------------------------------------------------------ [2009-09-29 15:20:28] list2009 at lunch dot za dot net Description: ------------ Unlike eval(), create_function can be called by reference. It provides an excellent hook for php obfuscation that is difficult to detect in an automated way. I would like to define a list of functions that can NOT be called by reference, and this function is first in my list, closely followed by the other functions in this snippet, system(), ob_flush(), etc. Obfuscated code is one thing - obfuscated code that looks innocent is another. Reproduce code: --------------- --- >From manual page: function.create-function#Description --- Note that this code does not contain a single string for a scanner. Only a php interpreter can determine that this is obfuscated code, and calls str_rot13, base64_decode and runs the base64 encoded code. <?php $v="_"; $v.="rot"; $v.=14-1; $v="str$v"; $w=$v("onfr64_qrpbqr"); $x=$w('Y3JlYXRlX2Z1bmN0aW9u'); $y=$w('ZWNobyAiVSBSIHB3bmRcbiI7Cg=='); $z=$x('',$y); $z(); Expected result: ---------------- Fatal error: Call to undefined function create_function() or Fatal error: function create_function cannot be called by reference. Actual result: -------------- U R pwnd ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/bug.php?id=49712&edit=1
