1

EDIT FOR MORE INFO I have a page in an admin area where users can write their own PHP/HTML files for adding extra functionality etc they want to use in their website. I have an array of "dangerous" words to filter out any messing with core database tables, such as being able to write a malicious code to drop the members table (for example).

The textarea/code area takes the content and uses fwrite to put it all into a PHP file which can then be included via template tags on a website.

When the file is saved, it reads all the text and checks it against the "dangerous array" of words that can't be used (eg: exec, system, delete from, drop database etc).

But I've recently found a flaw where a variable like below can be put in the file, and then a mysql command could be used like so:

$var = "DR" . "OP ". "TA" . "BL" . "E";
$sql = mysql_query($var tablename);

Checking all the file contents through a array match of words doesn't work in this scenario.

    $dangerous = "/\b(exec|system|delete from|drop database)\b/i";

    if (preg_match($dangerous, $code)) {
       $tag_code = preg_replace($dangerous, '', $tag_code);
    }

------- end edit

I have a function which checks an array of "bad words" and filters them out when saving a new custom user generated file (similar to what this question says), but I've discovered that it can easily be circumvented by splitting the invalid words with a variable.

For example, "DELETE FROM" is an invalid phrase, but if a file is made with this:

$var = "DE" . "LET". "E " . "FR" . "OM";

The array filter obviously can't detect this in the usual way. The problem is that these variable "hacks" can be written in any combination, so I'm not sure how - or if - there's a way to detect things like this in a file.

Can this be done?

Community
  • 1
  • 1
MrLewk
  • 498
  • 1
  • 6
  • 24
  • Can you give a more concrete example? For your current example checking the contents of `$var` would work just fine. – apokryfos Apr 08 '16 at 10:41
  • Indeed, this just appears to be a question of _when_ in your code you check the resulting string. – arkascha Apr 08 '16 at 10:41
  • I'll edit the question to include more of the process – MrLewk Apr 08 '16 at 10:42
  • 1
    I don't think it's possible to do this. You should probably [sandbox](https://github.com/Corveda/PHPSandbox) your user-generated scripts instead. In general it's probably good practice to not allow untrusted users to inject PHP code in your site. And in practical terms , no user can be trusted. – apokryfos Apr 08 '16 at 10:53
  • I know, "never trust the user", but it's for their own site to create basic "plugin" like scripts to extend functionality, with some limits, so you'd hope they wouldn't purposely break it.. but you never know! – MrLewk Apr 08 '16 at 10:57
  • Or is there any way to read a file and have the variables converted/printed out as they would be when the PHP is executed? – MrLewk Apr 08 '16 at 11:05
  • @MrLewk I think it's close to impossible to do via blacklisting. What you've posted here is just the tip of the iceberg in terms of injections, weird concatenations etc. What about base64 strings, shifted strings, XOR, binary, hexadecimal, byte arrays, yadda yadda. E.g. `$some_string = implode(array_map("chr", array(100, 114, 111, 112, 32, 116, 97, 98, 108, 101)));`. It shouldn't be allowed to run in the first place. – jDo Apr 08 '16 at 11:10
  • @jDo yeh true, I will look into the sandbox options then instead. Thanks for the comments – MrLewk Apr 08 '16 at 11:14

0 Answers0