PHP filter_var Bypass Patch

When the filter_var function is used in conjunction with the flags FILTER_VALIDATE_DOMAIN and FILTER_FLAG_HOSTNAME, there is a vulnerability in PHP that allows the filter to be bypassed. A patch has been included by the researcher as the PHP security team seems to have ignored this concern.


MD5 | 61136d35767f4ad61a626a2c83102bd2

Hello! 

When the filter_var function is used in conjunction with the flags FILTER_VALIDATE_DOMAIN and FILTER_FLAG_HOSTNAME, there is a vulnerability in PHP that allows the filter to be bypassed. This vulnerability could be used to introduce vulnerabilities into code that would otherwise be safe to use.

Due to the lack of response from the PHP security team, I have decided to make this vulnerability publicly available instead. Especially because I haven't received any updates despite numerous requests. Because of the ease with which the vulnerability can be exploited, I believe that the community has a right to be informed about it.

Please see my write-up on https://pwning.systems/posts/php_filter_var_shenanigans/ for more information on how to exploit this vulnerability.

Because the PHP security team has not yet patched this issue, I have attached my own one-liner patch that you can apply with the command 'git am $patchfile’.

PATCH:
```
From 9c064e66226c9da5b9c0170342ba516055a31be5 Mon Sep 17 00:00:00 2001
From: Jordy Zomer <[email protected]>
Date: Fri, 25 Mar 2022 18:03:34 +0100
Subject: [PATCH] Fix integer conversion that results in filter bypass.

Signed-off-by: Jordy Zomer <[email protected]>
---
ext/filter/logical_filters.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ext/filter/logical_filters.c b/ext/filter/logical_filters.c
index 91bf929a9d..96a6c72b56 100644
--- a/ext/filter/logical_filters.c
+++ b/ext/filter/logical_filters.c
@@ -504,7 +504,7 @@ void php_filter_validate_regexp(PHP_INPUT_FILTER_PARAM_DECL) /* {{{ */
}
}

-static int _php_filter_validate_domain(char * domain, int len, zend_long flags) /* {{{ */
+static int _php_filter_validate_domain(char * domain, size_t len, zend_long flags) /* {{{ */
{
char *e, *s, *t;
size_t l;
--
2.32.0
```

Cheers,

Jordy Zomer (@pwningsystems)



Related Posts