http://phpwhitelist.ph.funpic.org/phpwhitelist.php

A project I'm working on, a php validator. If the PHP is allowed and does not contain anything malicious, it will be eval'd

If you find any exploits or think a function should be added, please post! (Currently, the lib of allowed functions is fairly small, but I'm working on it)

Constants are currently unsupported.

link changed due to wocares once again being suspended. funpic.org is quite hilarious, they only allow letters and numbers in passwords :D



Edited 2 time(s). Last edit at 08/14/2008 12:14PM by Kyo.

Interesting idea but....dangerous

<?php
print_r($HTTP_SERVER_VARS);
?>

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Backticks!

<?php
print `ls`;
?>

Your server config saves you though :)

<?php
print_r($_SESSION);
?>

I think this would be hard to do properly

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 08/13/2008 11:30AM by Gareth Heyes.

missing ; results is showing your directory structure

Warning: shell_exec() has been disabled for security reasons in /home/wocares/public_html/phpwhitelist.php(154) : eval()'d code on line 2

it doesn't check for the code to be valid, so it's very easy to get the directory structure, can't change that... (Though I might make it filter the directory later)

I fixed all except one:
<?php
print `ls`;
?>

now this is something of PHP I was not familiar with, can I get a link to some documentation on that? does it only work with `?

Would blocking the ` character outside of strings suffice?

Thanks for the input, guys!

Edit: Session and cookies are left on intentionally, because my server does not story any sensitive data in it. If I ever get to the release of this tool, they will be blocked (currently the lines blocking them are commented out)



Edited 3 time(s). Last edit at 08/13/2008 12:31PM by Kyo.

backticks allow you to execute system commands similar to perl. I don't know where the docs are on it, I just know about it from years back. I think blocking should prevent this type of attack.

How about sharing the source?

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

I was gonna do that after I have more functions and it's a little more stable (in case someone actually goes and uses it)
But I guess I can give it to you guys right now as well, so here it goes:

edit: updated
edit: updated again
edit: updated again
edit: yet another update
edit: OOP!
edit: code made stricter (no characters that aren't alphanumeric_ after function and class, ( can't be used after a ; anymore, unless you're casting)
edit: more strictness when making functions/classes
edit: updated, fixed some stuff, added some functionality and stopped path exposure
edit: custom preg_replace added.
edit: fixed ${function}() exploit
edit: fixed ${blockedvariable},$${varcontainingblockedvariablename},$$varcontainingblockedvariablename and cpreg_replace(" /x/e","phpinfo();","x"); (whitespace exploit)
edit: fixed these kind of exploits for real this time



$_SERVER2 = array();
$_SERVER2['REMOTE_PORT'] = $_SERVER['REMOTE_PORT'];
$_SERVER2['REMOTE_ADDR'] = $_SERVER['REMOTE_ADDR'];
$_SERVER2['HTTP_REFERER'] = $_SERVER['HTTP_REFERER'];
$_SERVER2['HTTP_KEEP_ALIVE'] = $_SERVER['HTTP_KEEP_ALIVE'];

if(ini_get('register_globals')) {

foreach($_REQUEST as $key => $var) {

if(isset($GLOBALS[$key])) unset($GLOBALS[$key]);

}

foreach($_FILES as $key => $var) {

if(isset($GLOBALS[$key])) unset($GLOBALS[$key]);

}

foreach($_SERVER as $key => $var) {

if(isset($GLOBALS[$key])) unset($GLOBALS[$key]);

}

foreach($_ENV as $key => $var) {

if(isset($GLOBALS[$key])) unset($GLOBALS[$key]);

}
unset($key);
unset($var);

}
function cpreg_replace($needle,$replacement,$haystack) {
$needle = trim($needle);
$needle = str_replace("\0","",$needle); //remove 0 bytes, because 0-bytes end the needle in preg_replace
$needles = preg_split("/^([^\d\w\\\\]{1})(.*)\\1/",$needle,2);
$d = $needles[1];
$d = preg_replace("([^ismxADSUXJu]*)","",$d);
$needle = preg_replace("/^([^\d\w]{1})(.*)\\1(.*)/","\\1\\2\\1".$d,$needle);
return preg_replace($needle,$replacement,$haystack);
}
if (extension_loaded('gd') && function_exists('gd_info')) {
function cimagepng($a,$b=0) {
return imagepng($a);
}
function cimagegif($a,$b=0) {
return imagegif($a);
}
function cimagejpeg($a,$b=0) {
return imagejpeg($a);
}
}
function whitelist($code) {
$debug = 1;
$varblacklist = array();
$characterblacklist = array();
$functions = array();
$customfunctions = array();
$classes = array();
$customclasses = array();
$oktokens = array();
$init = array();
$atoz = array("a","b","c","d","e","f","g","h","i","j","k","l","m","n","o","p","q","r","s","t","u","v","w","x","y","z");
//do not comment out these, for security reasons
$varblacklist[] = "\$_SERVER";
$varblacklist[] = "\$_ENV";
$varblacklist[] = "\$GLOBALS";
$varblacklist[] = "\$HTTP_SERVER_VARS";
$varblacklist[] = "\$HTTP_ENV_VARS";
$varblacklist[] = "\$php_errormsg";


//feel free to comment out the below if you have register globals disabled, or disabled it manually
$varblacklist[] = "\$APACHE_PID_FILE";
$varblacklist[] = "\$PATH";
$varblacklist[] = "\$APACHE_RUN_GROUP";
$varblacklist[] = "\$APACHE_RUN_USER";
$varblacklist[] = "\$PWD";
$varblacklist[] = "\$HTTP_HOST";
$varblacklist[] = "\$SERVER_SIGNATURE";
$varblacklist[] = "\$HTTP_COOKIE";
$varblacklist[] = "\$SERVER_SOFTWARE";
$varblacklist[] = "\$SERVER_NAME";
$varblacklist[] = "\$SERVER_ADDR";
$varblacklist[] = "\$DOCUMENT_ROOT";
$varblacklist[] = "\$SERVER_ADMIN";
$varblacklist[] = "\$SCRIPT_FILENAME";
$varblacklist[] = "\$SERVER_ADMIN";

//only comment out the below if you want to allow access to cookies/session data
//$varblacklist[] = "\$_SESSION";
//$varblacklist[] = "\$_COOKIE";
//$varblacklist[] = "\$_REQUEST";
//$varblacklist[] = "\$HTTP_SESSION_VARS";
//$varblacklist[] = "\$HTTP_COOKIE_VARS";
//$varblacklist[] = "\$HTTP_REQUEST_VARS";

//uncomment below if you want to deny POST/GET
//$varblacklist[] = "\$_GET";
//$varblacklist[] = "\$_POST";
//$varblacklist[] = "\$HTTP_GET_VARS";
//$varblacklist[] = "\$HTTP_POST_VARS";

//do not remove this one.
$characterblacklist[] = "`";
//custom function blacklist - just in case
$fcblacklist[] = "file_get_contents";
$fcblacklist[] = "assert";
$fcblacklist[] = "bind_textdomain_codeset";
$fcblacklist[] = "bindtextdomain";
$fcblacklist[] = "bzopen";
$fcblacklist[] = "bzwrite";
$fcblacklist[] = "call_user_func";
$fcblacklist[] = "call_user_func_array";
$fcblacklist[] = "chdir";
$fcblacklist[] = "chgrp";
$fcblacklist[] = "chmod";
$fcblacklist[] = "chown";
$fcblacklist[] = "chroot";
$fcblacklist[] = "com_load_typelib";
$fcblacklist[] = "constant";
$fcblacklist[] = "copy";
$fcblacklist[] = "create_function";
$fcblacklist[] = "curl_init";
$fcblacklist[] = "cyrus_connect";
$fcblacklist[] = "dba_delete";
$fcblacklist[] = "dba_exists";
$fcblacklist[] = "dba_fetch";
$fcblacklist[] = "dba_insert";
$fcblacklist[] = "dba_popen";
$fcblacklist[] = "dba_replace";
$fcblacklist[] = "dbase_add_record";
$fcblacklist[] = "dbase_create";
$fcblacklist[] = "dbase_delete_record";
$fcblacklist[] = "dbase_get_record";
$fcblacklist[] = "dbase_get_record_with_names";
$fcblacklist[] = "dbase_open";
$fcblacklist[] = "dbase_replace_record";
$fcblacklist[] = "dbx_connect";
$fcblacklist[] = "dbx_query";
$fcblacklist[] = "dcgettext";
$fcblacklist[] = "dcngettext";
$fcblacklist[] = "dgettext";
$fcblacklist[] = "dio_open";
$fcblacklist[] = "dio_write";
$fcblacklist[] = "dirname";
$fcblacklist[] = "dngettext";
$fcblacklist[] = "domxml_open_file";
$fcblacklist[] = "domxml_open_mem";
$fcblacklist[] = "domxml_xslt_stylesheet";
$fcblacklist[] = "domxml_xslt_stylesheet_file";
$fcblacklist[] = "eval";
$fcblacklist[] = "exec";
$fcblacklist[] = "fbsql_change_user";
$fcblacklist[] = "fbsql_connect";
$fcblacklist[] = "fbsql_create_blob";
$fcblacklist[] = "fbsql_create_db";
$fcblacklist[] = "fbsql_database";
$fcblacklist[] = "fbsql_database_password";
$fcblacklist[] = "fbsql_db_query";
$fcblacklist[] = "fbsql_drop_db";
$fcblacklist[] = "fbsql_pconnect";
$fcblacklist[] = "fbsql_query";
$fcblacklist[] = "fbsql_select_db";
$fcblacklist[] = "fbsql_set_password";
$fcblacklist[] = "fbsql_start_db";
$fcblacklist[] = "fbsql_stop_db";
$fcblacklist[] = "fbsql_username";
$fcblacklist[] = "fdf_add_doc_javascript";
$fcblacklist[] = "fdf_open";
$fcblacklist[] = "fopen";
$fcblacklist[] = "fsockopen";
$fcblacklist[] = "ftp_chdir";
$fcblacklist[] = "ftp_chmod";
$fcblacklist[] = "ftp_connect";
$fcblacklist[] = "ftp_exec";
$fcblacklist[] = "ftp_login";
$fcblacklist[] = "ftp_mkdir";
$fcblacklist[] = "ftp_raw";
$fcblacklist[] = "ftp_rename";
$fcblacklist[] = "ftp_rmdir";
$fcblacklist[] = "ftp_site";
$fcblacklist[] = "fwrite";
$fcblacklist[] = "gettext";
$fcblacklist[] = "gzopen";
$fcblacklist[] = "gzread";
$fcblacklist[] = "gzwrite";
//$fcblacklist[] = "header";
$fcblacklist[] = "highlight_file";
$fcblacklist[] = "ibase_add_user";
$fcblacklist[] = "ibase_blob_echo";
$fcblacklist[] = "ibase_connect";
$fcblacklist[] = "ibase_delete_user";
$fcblacklist[] = "ibase_pconnect";
$fcblacklist[] = "ibase_prepare";
$fcblacklist[] = "ibase_query";
$fcblacklist[] = "iconv_set_encoding";
$fcblacklist[] = "id3_set_tag";
$fcblacklist[] = "ifx_connect";
$fcblacklist[] = "ifx_pconnect";
$fcblacklist[] = "ifx_query";
$fcblacklist[] = "image2wbmp";
$fcblacklist[] = "imagecreatefromgd";
$fcblacklist[] = "imagecreatefromgd2";
$fcblacklist[] = "imagecreatefromgd2part";
$fcblacklist[] = "imagecreatefromgif";
$fcblacklist[] = "imagecreatefromjpeg";
$fcblacklist[] = "imagecreatefromjpeg";
$fcblacklist[] = "imagecreatefromstring";
$fcblacklist[] = "imagecreatefromwbmp";
$fcblacklist[] = "imagecreatefromxbm";
$fcblacklist[] = "imagecreatefromxpm";
$fcblacklist[] = "imagegd";
$fcblacklist[] = "imagegd2";
$fcblacklist[] = "imagegif";
$fcblacklist[] = "imagejpeg";
$fcblacklist[] = "imagepng";
$fcblacklist[] = "imap_append";
$fcblacklist[] = "imap_createmailbox";
$fcblacklist[] = "imap_delete";
$fcblacklist[] = "imap_deletemailbox";
$fcblacklist[] = "imap_mail";
$fcblacklist[] = "imap_open";
$fcblacklist[] = "imap_reopen";
$fcblacklist[] = "imap_set_quota";
$fcblacklist[] = "imap_setacl";
$fcblacklist[] = "imap_setflag_full";
$fcblacklist[] = "imap_status";
$fcblacklist[] = "imap_unsubscribe";
$fcblacklist[] = "ingres_connect";
$fcblacklist[] = "ingres_pconnect";
$fcblacklist[] = "ircg_invite";
$fcblacklist[] = "ircg_join";
$fcblacklist[] = "ircg_msg";
$fcblacklist[] = "ircg_pconnect";
$fcblacklist[] = "ldap_connect";
$fcblacklist[] = "ldap_list";
$fcblacklist[] = "ldap_rename";
$fcblacklist[] = "ldap_search";
$fcblacklist[] = "link";
$fcblacklist[] = "mail";
$fcblacklist[] = "mb_send_mail";
$fcblacklist[] = "mkdir";
$fcblacklist[] = "move_uploaded_file";
$fcblacklist[] = "msession_connect";
$fcblacklist[] = "msession_create";
$fcblacklist[] = "msession_destroy";
$fcblacklist[] = "msession_find";
$fcblacklist[] = "msession_get";
$fcblacklist[] = "msession_get_array";
$fcblacklist[] = "msession_get_data";
$fcblacklist[] = "msession_lock";
$fcblacklist[] = "msession_set";
$fcblacklist[] = "msession_set_array";
$fcblacklist[] = "msession_set_data";
$fcblacklist[] = "msession_unlock";
$fcblacklist[] = "msg_send";
$fcblacklist[] = "msql";
$fcblacklist[] = "msql_connect";
$fcblacklist[] = "msql_create_db";
$fcblacklist[] = "msql_createdb";
$fcblacklist[] = "msql_db_query";
$fcblacklist[] = "msql_drop_db";
$fcblacklist[] = "msql_list_fields";
$fcblacklist[] = "msql_list_tables";
$fcblacklist[] = "msql_pconnect";
$fcblacklist[] = "msql_query";
$fcblacklist[] = "msql_select_db";
$fcblacklist[] = "mssql_connect";
$fcblacklist[] = "mssql_pconnect";
$fcblacklist[] = "mssql_query";
$fcblacklist[] = "mssql_select_db";
$fcblacklist[] = "mysql_change_user";
$fcblacklist[] = "mysql_connect";
$fcblacklist[] = "mysql_create_db";
$fcblacklist[] = "mysql_db_query";
$fcblacklist[] = "mysql_drop_db";
$fcblacklist[] = "mysql_query";
$fcblacklist[] = "mysql_select_db";
$fcblacklist[] = "mysql_unbuffered_query";
$fcblacklist[] = "odbc_connect";
$fcblacklist[] = "odbc_exec";
$fcblacklist[] = "odbc_pconnect";
$fcblacklist[] = "opendir";
$fcblacklist[] = "openlog";
$fcblacklist[] = "ora_do";
$fcblacklist[] = "ora_plogon";
$fcblacklist[] = "ovrimos_connect";
$fcblacklist[] = "ovrimos_exec";
$fcblacklist[] = "parse_ini_file";
$fcblacklist[] = "parse_str";
$fcblacklist[] = "parse_url";
$fcblacklist[] = "parsekit_compile_string";
$fcblacklist[] = "passthru";
$fcblacklist[] = "pcntl_exec";
$fcblacklist[] = "pfpro_process";
$fcblacklist[] = "pfpro_process_raw";
$fcblacklist[] = "pfsockopen";
$fcblacklist[] = "pg_connect";
$fcblacklist[] = "pg_insert";
$fcblacklist[] = "pg_pconnect";
$fcblacklist[] = "pg_query";
$fcblacklist[] = "pg_select";
$fcblacklist[] = "pg_send_query";
$fcblacklist[] = "php_check_syntax";
$fcblacklist[] = "popen";
//$fcblacklist[] = "print_r";
//$fcblacklist[] = "printf";
$fcblacklist[] = "proc_open";
$fcblacklist[] = "putenv";
$fcblacklist[] = "readfile";
$fcblacklist[] = "readgzfile";
$fcblacklist[] = "readline";
$fcblacklist[] = "readlink";
$fcblacklist[] = "register_shutdown_function";
$fcblacklist[] = "register_tick_function";
$fcblacklist[] = "rename";
$fcblacklist[] = "rmdir";
$fcblacklist[] = "scandir";
$fcblacklist[] = "session_id";
$fcblacklist[] = "session_register";
$fcblacklist[] = "session_save_path";
$fcblacklist[] = "set_include_path";
$fcblacklist[] = "set_time_limit";
//$fcblacklist[] = "setcookie";
$fcblacklist[] = "setlocale";
$fcblacklist[] = "setrawcookie";
$fcblacklist[] = "shell_exec";
$fcblacklist[] = "sleep";
$fcblacklist[] = "socket_connect";
$fcblacklist[] = "socket_create_listen";
$fcblacklist[] = "socket_write";
$fcblacklist[] = "stream_context_set_option";
$fcblacklist[] = "stream_context_set_params";
$fcblacklist[] = "sybase_connect";
$fcblacklist[] = "sybase_pconnect";
$fcblacklist[] = "sybase_query";
$fcblacklist[] = "sybase_select_db";
$fcblacklist[] = "sybase_unbuffered_query";
$fcblacklist[] = "symlink";
$fcblacklist[] = "syslog";
$fcblacklist[] = "touch";
$fcblacklist[] = "trigger_error";
$fcblacklist[] = "unlink";
$fcblacklist[] = "vprintf";
$fcblacklist[] = "vsprintf";
$fcblacklist[] = "ibase_service_attach";
$fcblacklist[] = "ibase_wait_event";
$fcblacklist[] = "file_put_contents";
$fcblacklist[] = "mysqli_change_user";
$fcblacklist[] = "mysqli";
$fcblacklist[] = "mysqli_embedded_connect";
$fcblacklist[] = "mysqliselect_db";
$fcblacklist[] = "mysqlisend_query";
$fcblacklist[] = "oci_connect";
$fcblacklist[] = "oci_pconnect";
// $fcblacklist[] = "quotemeta";
$fcblacklist[] = "SQLiteDatabasearrayQuery";
$fcblacklist[] = "SQLiteDatabaseexec";
$fcblacklist[] = "sqlite_popen";
$fcblacklist[] = "SQLiteDatabasesingleQuery";
$fcblacklist[] = "SQLiteDatabaseunbufferedQuery";
$fcblacklist[] = "stream_socket_client";
$fcblacklist[] = "time_nanosleep";
$fcblacklist[] = "getenv";
$fcblacklist[] = "SQLiteUnbufferedfetchAll";
$fcblacklist[] = "SQLiteUnbufferedfetch";
$fcblacklist[] = "SQLiteDatabasefetchColumnTypes";
$fcblacklist[] = "SQLiteUnbufferedfetchObject";
$fcblacklist[] = "SQLiteUnbufferedfetchSingle";
$fcblacklist[] = "SQLiteDatabasesingleQuery";
$fcblacklist[] = "SQLiteDatabasearrayQuery";
$fcblacklist[] = "fgetc";
$fcblacklist[] = "fgetcsv";
$fcblacklist[] = "fgets";
$fcblacklist[] = "fgetss";
$fcblacklist[] = "file";
$fcblacklist[] = "mysql_fetch_array";
$fcblacklist[] = "mysql_fetch_assoc";
$fcblacklist[] = "mysql_fetch_field";
$fcblacklist[] = "mysql_fetch_row";
$fcblacklist[] = "mysql_get_client_info";
$fcblacklist[] = "mysql_get_host_info";
$fcblacklist[] = "mysql_get_proto_info";
$fcblacklist[] = "mysql_info";
$fcblacklist[] = "mysql_list_dbs";
$fcblacklist[] = "mysql_list_fields";
$fcblacklist[] = "mysql_list_processes";
$fcblacklist[] = "mysql_list_tables";
$fcblacklist[] = "mysql_stat";
$fcblacklist[] = "mysql_thread_id";
$fcblacklist[] = "fsockopen";
$fcblacklist[] = "dba_fetch";

$fcblacklist[] = "disk_free_space";

$fcblacklist[] = "disk_total_space";

$fcblacklist[] = "error_reporting";

$fcblacklist[] = "extension_loaded";

$fcblacklist[] = "fbsql_database_password";

$fcblacklist[] = "fbsql_db_status";

$fcblacklist[] = "fbsql_list_fields";

$fcblacklist[] = "fbsql_list_tables";

$fcblacklist[] = "fbsql_username";

$fcblacklist[] = "file_exists";

$fcblacklist[] = "fileatime";

$fcblacklist[] = "filectime";

$fcblacklist[] = "filegroup";

$fcblacklist[] = "fileinode";

$fcblacklist[] = "filemtime";

$fcblacklist[] = "fileowner";

$fcblacklist[] = "fileperms";

$fcblacklist[] = "filetype";

$fcblacklist[] = "fstat";

$fcblacklist[] = "ftp_mdtm";

$fcblacklist[] = "ftp_size";

$fcblacklist[] = "ftp_systype";

$fcblacklist[] = "system";

$fcblacklist[] = "function_exists";

$fcblacklist[] = "gd_info";

$fcblacklist[] = "get_cfg_var";

$fcblacklist[] = "get_class";

$fcblacklist[] = "get_class_methods";

$fcblacklist[] = "get_class_vars";

$fcblacklist[] = "get_current_user";

$fcblacklist[] = "get_declared_classes";

$fcblacklist[] = "get_defined_constants";

$fcblacklist[] = "get_defined_functions";

$fcblacklist[] = "get_defined_vars";

$fcblacklist[] = "get_extension_funcs";

$fcblacklist[] = "get_headers";

$fcblacklist[] = "get_html_translation_table";

$fcblacklist[] = "get_include_path";

$fcblacklist[] = "get_included_files";

$fcblacklist[] = "get_loaded_extensions";

//$fcblacklist[] = "get_magic_quotes_gpc";

$fcblacklist[] = "get_magic_quotes_runtime";

$fcblacklist[] = "get_meta_tags";

$fcblacklist[] = "get_parent_class";

$fcblacklist[] = "get_required_files";

$fcblacklist[] = "getcwd";

$fcblacklist[] = "getenv";

$fcblacklist[] = "getlastmod";

$fcblacklist[] = "getmygid";

$fcblacklist[] = "getmyinode";

$fcblacklist[] = "getmypid";

$fcblacklist[] = "getmyuid";

$fcblacklist[] = "getrusage";

$fcblacklist[] = "gettype";

$fcblacklist[] = "iconv_get_encoding";

$fcblacklist[] = "imap_alerts";

$fcblacklist[] = "imap_check";

$fcblacklist[] = "imap_fetch_overview";

$fcblacklist[] = "imap_get_quota";

$fcblacklist[] = "imap_get_quotaroot";

$fcblacklist[] = "imap_getmailboxes";

$fcblacklist[] = "imap_getsubscribed";

$fcblacklist[] = "imap_list";

$fcblacklist[] = "imap_listscan";

$fcblacklist[] = "imap_lsub";

$fcblacklist[] = "imap_mailboxmsginfo";

$fcblacklist[] = "imap_num_recent";

$fcblacklist[] = "imap_status";

$fcblacklist[] = "ini_get";

$fcblacklist[] = "ini_get_all";

$fcblacklist[] = "ini_set";

$fcblacklist[] = "ircg_get_username";

$fcblacklist[] = "linkinfo";

$fcblacklist[] = "mb_get_info";

$fcblacklist[] = "mb_http_input";

$fcblacklist[] = "mb_http_output";

$fcblacklist[] = "mb_internal_encoding";

$fcblacklist[] = "mcrypt_enc_get_algorithms_name";

$fcblacklist[] = "mcrypt_list_modes";

//$fcblacklist[] = "md5";

$fcblacklist[] = "md5_file";

$fcblacklist[] = "msession_list";

$fcblacklist[] = "msession_listvar";

$fcblacklist[] = "msg_stat_queue";

$fcblacklist[] = "mysql_fetch_array";

$fcblacklist[] = "mysql_fetch_assoc";

$fcblacklist[] = "mysql_fetch_field";

$fcblacklist[] = "mysql_fetch_row";

$fcblacklist[] = "mysql_get_client_info";

$fcblacklist[] = "mysql_get_host_info";

$fcblacklist[] = "mysql_get_proto_info";

$fcblacklist[] = "mysql_info";

$fcblacklist[] = "mysql_list_dbs";

$fcblacklist[] = "mysql_list_fields";

$fcblacklist[] = "mysql_list_processes";

$fcblacklist[] = "mysql_list_tables";

$fcblacklist[] = "mysql_stat";

$fcblacklist[] = "mysql_thread_id";

$fcblacklist[] = "nl_langinfo";

$fcblacklist[] = "ob_list_handlers";

$fcblacklist[] = "odbc_gettypeinfo";

$fcblacklist[] = "odbc_statistics";

$fcblacklist[] = "odbc_tables";

$fcblacklist[] = "pg_version";

$fcblacklist[] = "php_ini_scanned_files";

$fcblacklist[] = "php_uname";

$fcblacklist[] = "phpcredits";

$fcblacklist[] = "phpinfo";

$fcblacklist[] = "phpversion";

$fcblacklist[] = "var_dump";

$fcblacklist[] = "var_export";

$fcblacklist[] = "fam_monitor_collection";

$fcblacklist[] = "fam_monitor_directory";

$fcblacklist[] = "fam_monitor_file";

$fcblacklist[] = "get_declared_interfaces";

$fcblacklist[] = "headers_list";

$fcblacklist[] = "ibase_db_info";

$fcblacklist[] = "ibase_num_params";

$fcblacklist[] = "ibase_server_info";

$fcblacklist[] = "imap_getacl";

$fcblacklist[] = "interface_exists";

$fcblacklist[] = "stmtfetch";

$fcblacklist[] = "mysqli_get_client_version";

$fcblacklist[] = "mysqliget_host_info";

$fcblacklist[] = "mysqliinfo";

$fcblacklist[] = "mysqliquery";

$fcblacklist[] = "mysqlireal_connect";

$fcblacklist[] = "oci_fetch_all";

$fcblacklist[] = "oci_fetch_row";
$fcblacklist[] = "dl";
//$fcblacklist[] = "header";
$fcblacklist[] = "include";
$fcblacklist[] = "include_once";
$fcblacklist[] = "require";
$fcblacklist[] = "require_once";
$fcblacklist[] = "virtual";
$fcblacklist[] = "dio_read";
$fcblacklist[] = "error_log";
$fcblacklist[] = "finfo_open";
$fcblacklist[] = "fpassthru";
$fcblacklist[] = "fread";
$fcblacklist[] = "fscanf";
$fcblacklist[] = "glob";
$fcblacklist[] = "readdir";
$fcblacklist[] = "stat";
$fcblacklist[] = "preg_replace";
$fcblacklist[] = "tmpfile";
$fcblacklist[] = "mysql_pconnect";
$fcblacklist[] = "ora_exec";
$fcblacklist[] = "ora_logon";
$fcblacklist[] = "curl_exec";
$fcblacklist[] = "curl_multi_exec";
$fcblacklist[] = "session_start";
//$fcblacklist[] = "setcookie";
$fcblacklist[] = "socket_accept";
$fcblacklist[] = "socket_bind";
$fcblacklist[] = "socket_create";
$fcblacklist[] = "socket_listen";
$fcblacklist[] = "socket_send";
$fcblacklist[] = "stream_socket_server";
$fcblacklist[] = "runkit_class_adopt";
$fcblacklist[] = "runkit_class_emancipate";
$fcblacklist[] = "runkit_constant_add";
$fcblacklist[] = "runkit_constant_redefine";
$fcblacklist[] = "runkit_constant_remove";
$fcblacklist[] = "runkit_function_add";
$fcblacklist[] = "runkit_function_copy";
$fcblacklist[] = "runkit_function_redefine";
$fcblacklist[] = "runkit_function_remove";
$fcblacklist[] = "runkit_function_rename";
$fcblacklist[] = "runkit_import";
$fcblacklist[] = "runkit_lint_file";
$fcblacklist[] = "runkit_lint";
$fcblacklist[] = "runkit_method_add";
$fcblacklist[] = "runkit_method_copy";
$fcblacklist[] = "runkit_method_redefine";
$fcblacklist[] = "runkit_method_remove";
$fcblacklist[] = "runkit_method_rename";
$fcblacklist[] = "runkit_return_value_used";
$fcblacklist[] = "runkit_sandbox_output_handler";
$fcblacklist[] = "runkit_superglobals";
//new names for dangerous functions
$fcblacklist[] = "opreg_replace";

$functions[] = "setcookie";
$functions[] = "setrawcookie";

//do NOT add preg_replace, for security reasons
$functions[] = "print_r";
$functions[] = "explode";
$functions[] = "strtolower";
$functions[] = "strtoupper";
$functions[] = "md5";
$functions[] = "gettype";
$functions[] = "sha1";
$functions[] = "serialize";
$functions[] = "unserialize";
$functions[] = "str_rot13";
$functions[] = "str_shuffle";
$functions[] = "str_split";
$functions[] = "str_pad";
$functions[] = "strcoll";
$functions[] = "quotemeta";
$functions[] = "similar_text";
$functions[] = "strrev";
$functions[] = "is_array";
$functions[] = "in_array";
$functions[] = "get_magic_quotes_gpc"; //exposing info
$functions[] = "stripslashes";
$functions[] = "addslashes";
$functions[] = "session_start";
$functions[] = "trim";
$functions[] = "rtrim";
$functions[] = "ltrim";
$functions[] = "preg_match";
$functions[] = "preg_split";
$functions[] = "strlen";
$functions[] = "header";
$functions[] = "htmlspecialchars";
$functions[] = "htmlentities";
$functions[] = "html_entity_decode";
$functions[] = "get_html_translation_table";//exposing info
$functions[] = "count_chars";
$functions[] = "chop";
$functions[] = "urldecode";
$functions[] = "intval";
$functions[] = "urlencode";
$functions[] = "asort";
$functions[] = "substr";
$functions[] = "strrchr";
$functions[] = "chr";
$functions[] = "ord";
$functions[] = "crc32";
$functions[] = "printf";
$functions[] = "sprintf";
$functions[] = "ucfirst";
$functions[] = "join";
$functions[] = "lcfirst";
$functions[] = "ucwords";
$functions[] = "strtok";
$functions[] = "stripos";
$functions[] = "substr_count";
$functions[] = "bin2hex";
$functions[] = "decbin";
$functions[] = "bindec";
$functions[] = "count";
$functions[] = "define";
$functions[] = "range";
$functions[] = "defined";
$functions[] = "constant";
$functions[] = "dechex";
$functions[] = "base_convert";
$functions[] = "base64_encode";
$functions[] = "base64_decode";
$functions[] = "round";
$functions[] = "var_dump";//exposing info
$functions[] = "floor";
$functions[] = "ceil";
$functions[] = "rand";
$functions[] = "pi";
$functions[] = "str_replace";
$functions[] = "str_ireplace";
$functions[] = "preg_match_all";
$functions[] = "strstr";
$functions[] = "stristr";
$functions[] = "strpos";
$functions[] = "crypt";
$functions[] = "nl2br";
$functions[] = "implode";
$functions[] = "cpreg_replace";
$functions[] = "array_reverse";
//GD:
if (extension_loaded('gd') && function_exists('gd_info')) {
$functions[] = "imagecolorallocate";
$functions[] = "imagecopy";
$functions[] = "imagestring";
$functions[] = "imagedestroy";
$functions[] = "imagecolortransparent";
$functions[] = "imagefill";
$functions[] = "imagesx";
$functions[] = "imagesy";
$functions[] = "imagecreatetruecolor";
$functions[] = "imagecreate";
$functions[] = "imagetruecolortopalette";
$functions[] = "imagechar";
$functions[] = "imagecharup";
$functions[] = "cimagegif"; //Replacement functions, due to the original ones being able to
$functions[] = "cimagepng"; //save the results in a file.
$functions[] = "cimagejpeg"; //Do not allow imagepng, imagejpeg or imagegif.
}
$oktokens[] = "T_OPEN_TAG"; //<?php
$oktokens[] = "T_WHITESPACE";
$oktokens[] = "T_LNUMBER";
$oktokens[] = "T_IS_EQUAL";
$oktokens[] = "T_ECHO";
$oktokens[] = "T_ENCAPSED_AND_WHITESPACE";
$oktokens[] = "T_CONSTANT_ENCAPSED_STRING";
$oktokens[] = "T_COMMENT";
$oktokens[] = "T_CLOSE_TAG";
$oktokens[] = "T_CURLY_OPEN";
$oktokens[] = "T_FUNCTION";
$oktokens[] = "T_FOREACH";
$oktokens[] = "T_AS";
$oktokens[] = "T_DOUBLE_ARROW";
$oktokens[] = "T_BOOLEAN_OR";
//$oktokens[] = "T_EXIT";
$oktokens[] = "T_IS_NOT_EQUAL";
$oktokens[] = "T_BOOLEAN_AND";
$oktokens[] = "T_ELSEIF";
$oktokens[] = "T_ELSE";
$oktokens[] = "T_INLINE_HTML";
$oktokens[] = "T_SWITCH";
$oktokens[] = "T_DEFAULT";
$oktokens[] = "T_BREAK";
$oktokens[] = "T_CASE";
$oktokens[] = "T_FOR";
$oktokens[] = "T_IF";
$oktokens[] = "T_INC";
$oktokens[] = "T_DEC";
$oktokens[] = "T_RETURN";
$oktokens[] = "T_DO";
$oktokens[] = "T_WHILE";
$oktokens[] = "T_DNUMBER";
$oktokens[] = "T_ARRAY";
$oktokens[] = "T_AND_EQUAL";
$oktokens[] = "T_ARRAY_CAST";
$oktokens[] = "T_BOOL_CAST";
$oktokens[] = "T_CONCAT_EQUAL";
$oktokens[] = "T_CONST";
$oktokens[] = "T_CONTINUE";
$oktokens[] = "T_DECLARE";
$oktokens[] = "T_DIV_EQUAL";
$oktokens[] = "T_DOUBLE_CAST";
$oktokens[] = "T_EMPTY";
$oktokens[] = "T_ENDFOR";
$oktokens[] = "T_ENDFOREACH";
$oktokens[] = "T_ENDIF";
$oktokens[] = "T_ENDSWITCH";
$oktokens[] = "T_ENDWHILE";
$oktokens[] = "T_GLOBAL";
$oktokens[] = "T_INT_CAST";
$oktokens[] = "T_ISSET";
$oktokens[] = "T_IS_GREATER_OR_EQUAL";
$oktokens[] = "T_IS_IDENTICAL";
$oktokens[] = "T_IS_NOT_EQUAL";
$oktokens[] = "T_IS_NOT_IDENTICAL";
$oktokens[] = "T_IS_SMALLER_OR_EQUAL";
$oktokens[] = "T_LIST";
$oktokens[] = "T_LOGICAL_AND";
$oktokens[] = "T_LOGICAL_OR";
$oktokens[] = "T_LOGICAL_XOR";
$oktokens[] = "T_MINUS_EQUAL";
$oktokens[] = "T_ML_COMMENT";
$oktokens[] = "T_MOD_EQUAL";
$oktokens[] = "T_MUL_EQUAL";
$oktokens[] = "T_OPEN_TAG_WITH_ECHO";
$oktokens[] = "T_OR_EQUAL";
$oktokens[] = "T_PLUS_EQUAL";
$oktokens[] = "T_PRINT";
$oktokens[] = "T_SL";
$oktokens[] = "T_SL_EQUAL";
$oktokens[] = "T_SR";
$oktokens[] = "T_SR_EQUAL";
$oktokens[] = "T_STRING_CAST";
$oktokens[] = "T_UNSET";
$oktokens[] = "T_XOR_EQUAL";
//oop
$oktokens[] = "T_CLASS";
$oktokens[] = "T_NEW";
$oktokens[] = "T_VAR";
$oktokens[] = "T_OBJECT_OPERATOR";
$oktokens[] = "T_PRIVATE";
$oktokens[] = "T_PUBLIC";
$before[ord("(")][] = "T_STRING";
$before[ord("(")][] = "T_IF";
$before[ord("(")][] = "T_ELSEIF";
$before[ord("(")][] = "T_FOREACH";
$before[ord("(")][] = "T_FOR";
$before[ord("(")][] = "T_WHILE";
$before[ord("(")][] = "T_ECHO";
$before[ord("(")][] = "T_PRINT";
$before[ord("(")][] = "T_ISSET";
$before[ord("(")][] = "T_LIST";
$before[ord("(")][] = "T_UNSET";
$before[ord("(")][] = "T_ARRAY";
$before[ord("(")][] = "T_SWITCH";
$before[ord("(")][] = "T_BOOLEAN_OR";
$before[ord("(")][] = "T_BOOLEAN_AND";
$before[ord("(")][] = "T_IS_EQUAL";
$before[ord("(")][] = "T_IS_SMALLER_OR_EQUAL";
$before[ord("(")][] = "T_IS_GREATER_OR_EQUAL";
$charsbefore[ord("(")][] = "=";
$charsbefore[ord("(")][] = "+";
$charsbefore[ord("(")][] = "-";
$charsbefore[ord("(")][] = "/";
$charsbefore[ord("(")][] = "*";
$charsbefore[ord("(")][] = "^";
$charsbefore[ord("(")][] = "(";
$charsbefore[ord("(")][] = "!";
$tokens = @token_get_all($code);
foreach($tokens as $token) {
if(is_array($token)) {
//echo htmlspecialchars(print_r($token,true));
if(token_name($token[0]) == "T_VARIABLE") {
if($debug) echo token_name($token[0])." Variable: ".htmlspecialchars($token[1])."\r\n";
if($semirawbuffer[0] == "$" || ($semirawbuffer[1] == "$" && $semirawbuffer[0] == "{" )) return "Sorry, but you can't use variables as variable name.";
if(in_array($token[1],$varblacklist) ) return "Sorry, the variable ".htmlspecialchars($token[1])." is not allowed (line ".$token[2]."). If you need a part of \$_SERVER, a castrated version of \$_SERVER is available under the name \"\$_SERVER2\"";
elseif($debug) echo "Variable: ".htmlspecialchars($token[1])." is allowed\r\n";
} elseif((token_name($token[0]) == "T_STRING" || token_name($token[0]) == "T_CONSTANT_ENCAPSED_STRING") && $semirawbuffer[0] == "{" && $semirawbuffer[1] == "$") {
/* if($debug) echo token_name($token[0])." Variable: \${".htmlspecialchars($token[1])."}\r\n";
if($semirawbuffer[2] == "$" || $semirawbuffer[2] == "{") return "Sorry, but you can't use variables as variable name.";
if(in_array("$".$token[1],$varblacklist) ) return "Sorry, the variable \$".htmlspecialchars($token[1])." is not allowed (line ".$token[2]."). If you need a part of \$_SERVER, a castrated version of \$_SERVER is available under the name \"\$_SERVER2\"";
elseif($debug) echo "Variable: ".htmlspecialchars($token[1])." is allowed\r\n";*/
return "Sorry, but this syntax is not allowed.";
} elseif(token_name($token[0]) == "T_STRING" && token_name($buffer[0][0]) == "T_FUNCTION" && $semirawbuffer[0] != ";") {
if($debug) echo token_name($token[0])." - custom function \"".htmlspecialchars($token[1])."\"\r\n";
if(in_array($token[1],$fcblacklist)) return "Sorry, but this function name (\"".htmlspecialchars($token[1])."\") is not allowed. Try a different one.";
$customfunctions[] = $token[1];
} elseif(token_name($token[0]) == "T_STRING" && token_name($buffer[0][0]) == "T_CLASS" && $semirawbuffer[0] != ";") {
if($debug) echo token_name($token[0])." - custom class \"".htmlspecialchars($token[1])."\"\r\n";
if(in_array($token[1],$fcblacklist)) return "Sorry, but this class name (\"".htmlspecialchars($token[1])."\") is not allowed. Try a different one.";
$customclasses[] = $token[1];
} elseif(token_name($token[0]) == "T_STRING" && (token_name($buffer[0][0]) == "T_NEW") && $semirawbuffer[0] != ";") {
if($debug) echo token_name($token[0])." - class \"".htmlspecialchars($token[1])."\"\r\n";
if(!in_array($token[1],$classes)&& !in_array($token[1],$customclasses)) {
return "Class ".htmlspecialchars($token[1])." not allowed (code line ".htmlspecialchars($token[2]).") - Note: The validator does not allow constants directly, please use constant() and define() to use them, and only supports \"good\" code (\$var['x'] instead of \$var[x])";
}
} elseif(token_name($token[0]) == "T_STRING" && (token_name($buffer[0][0]) == "T_OBJECT_OPERATOR") && $semirawbuffer[0] != ";") {
if($debug) echo token_name($token[0])." - class variable/function \"".htmlspecialchars($token[1])."\"\r\n";
if(in_array($token[1],$fcblacklist)) return "Sorry, but this function/variable name (\"".htmlspecialchars($token[1])."\") is not allowed. Try a different one.";

} elseif(token_name($token[0]) == "T_STRING" &&( $token[1] == "false" || $token[1] == "true"|| $token[1] == "NULL")) {
if($debug) echo token_name($token[0])." - true or false or NULL - ".htmlspecialchars($token[1])."\r\n";
} elseif(token_name($token[0]) == "T_STRING") {
if($debug) echo token_name($token[0])." - function \"".htmlspecialchars($token[1])."\"\r\n";
if(!in_array($token[1],$functions)&& !in_array($token[1],$customfunctions)) {
if($token[1] == "preg_replace") return "Function ".htmlspecialchars($token[1])." not DIRECTLY allowed. If you need to use preg_replace, please use the function cpreg_replace instead. It behaves exactly the same, with the exception that null bytes are ignored completely (as opposed to ending the string) and the e modifier is being ignored. (code line ".htmlspecialchars($token[2]).") - Note: The validator does not allow constants directly, please use constant() and define() to use them, and only supports \"good\" code (\$var['x'] instead of \$var[x])";
elseif(extension_loaded('gd') && function_exists('gd_info') && ($token[1] == "imagepng" || $token[1] == "imagejpeg" || $token[1] == "imagegif")) return "Function ".htmlspecialchars($token[1])." not DIRECTLY allowed. If you need to use imagegif, imagejpeg, imagepng, please use the functions cimagegif, cimagejpeg and cimagepng instead. They behave exactly the same, with the exception that the second parameter (save to file) is ignored. (code line ".htmlspecialchars($token[2]).") - Note: The validator does not allow constants directly, please use constant() and define() to use them, and only supports \"good\" code (\$var['x'] instead of \$var[x])";
else return "Function ".htmlspecialchars($token[1])." not allowed (code line ".htmlspecialchars($token[2]).") - Note: The validator does not allow constants directly, please use constant() and define() to use them, and only supports \"good\" code (\$var['x'] instead of \$var[x])";
}
} elseif(in_array(token_name($token[0]),$oktokens)) {
if($debug) echo token_name($token[0])." (".htmlspecialchars($token[1]).") - OK (is in oktokens)\r\n";
} else return "Invalid token: ".htmlspecialchars($token[1])." - ".token_name($token[0])." on code line ".$token[2];
} else {
echo "Character: ".$token."\r\n";
if(token_name($buffer[0][0]) == "T_FUNCTION") return "Sorry, but you can't put anything but the function name after \"function\" (excluding comments and whitespaces)";
if(token_name($buffer[1][0]) == "T_FUNCTION" && $token != "(" && !$bufferage) return "Sorry, but after the function name, the arguments have to follow. (no \"(\" bracket after \"".htmlspecialchars($buffer[0][1])."\" in line ".$buffer[1][2].")";
if(token_name($buffer[0][0]) == "T_CLASS") return "Sorry, but you can't put anything but the class name after \"class\" (excluding comments and whitespaces)";
if(token_name($buffer[1][0]) == "T_CLASS" && $token != "{" && !$bufferage) return "Sorry, but after the class name, you have to define the class content (no curly bracket after \"".htmlspecialchars($buffer[0][1])."\" in line ".$buffer[1][2].")";
if(in_array($token,$characterblacklist)) return "Sorry, but this character is not allowed.";
if($semirawbuffer[0] != "=" && $semirawbuffer[0] != "+" && $semirawbuffer[0] != "-" && $semirawbuffer[0] != "/" && $semirawbuffer[0] != "*"&& $semirawbuffer[0] != "^" && $token == "(" && !in_array(token_name($buffer[0][0]),$before[ord("(")])) return "Sorry, that token (".token_name($buffer[0][0]).", ".htmlspecialchars($buffer[0][1]).") is not allowed in front of a bracket opening. (line ".$buffer[0][2].")";
elseif($token == "(" && !is_array($semirawbuffer[0]) && !in_array($semirawbuffer[0],$charsbefore[ord("(")])) return "Sorry, that character (".htmlspecialchars($semirawbuffer[0]).") is not allowed in front of a bracket opening.";
}
if(is_array($token) && token_name($token[0]) != "T_WHITESPACE" && token_name($token[0]) != "T_COMMENT" ) {
$bufferage = 0;
$buffer[2] = $buffer[1];
$buffer[1] = $buffer[0];
$buffer[0] = $token;
} elseif(!is_array($token)) $bufferage++;
if(!is_array($token) || token_name($token[0]) != "T_WHITESPACE"&& token_name($token[0]) != "T_COMMENT" ) {
$semirawbuffer[2] = $semirawbuffer[1];
$semirawbuffer[1] = $semirawbuffer[0];
$semirawbuffer[0] = $token;
}
$rawbuffer[2] = $rawbuffer[1];
$rawbuffer[1] = $rawbuffer[0];
$rawbuffer[0] = $token;
}
return 0;
}
$x = whitelist($_POST['code']);
if(!$x) {
echo "<b>Code verified.</b><br>";
//ini_set("display_errors",0);
ini_set("log_errors",1);
//ini_set("track_errors",1);

set_time_limit(1);
eval("?>".$_POST['code']);
if($php_errormsg) echo "<b>PHP Error:</b> ".$php_errormsg;
} else {
echo $x;
}



Edited 14 time(s). Last edit at 08/27/2008 10:21AM by Kyo.

backticks are pretty often forgotten in php, I wrote a tiny blogpost some time ago (link to dokumentation included)

for the demo page: I cant get a simple
<? echo "hi"; ?>
to work, or is there always no output ?



Edited 1 time(s). Last edit at 08/13/2008 01:02PM by Reiners.

Sorry, I was fixing an exploit. It should work now (thanks ASCII!)



Edited 1 time(s). Last edit at 08/13/2008 01:29PM by Kyo.

die;
header("HTTP HEADER HERE");

Your arrays in your code should always be initialised first like $a = array();
This prevents global injections in your code

Your code doesn't protect against XSS either, including directly in the output and also echo:-

<?php
echo chr(60).chr(105).chr(109).chr(103).chr(32).chr(115).chr(114).chr(99).chr(61).chr(49).chr(32).chr(111).chr(110).chr(101).chr(114).chr(114).chr(111).chr(114).chr(61).chr(97).chr(108).chr(101).chr(114).chr(116).chr(40).chr(49).chr(41).chr(62);
?>

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 08/13/2008 01:50PM by Gareth Heyes.

gareth, you have to open php tags first, otherwise it'll think that it's HTML (because it is)

and thanks, I'll fix that

Oh and it ain't as easy as that ;)

<?php
$x='range';
$x(1,10);
?>

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

yeah, ascii already pointed that one out.

edit: oh and about the XSS, yes, it's evaling that raw. This is not an exploit, it's expected behaviour.



Edited 1 time(s). Last edit at 08/13/2008 02:03PM by Kyo.

Ok, huge update! Custom functions are now allowed. That means a new area that can possibly be exploited. To minimize damage for when it's exploit when actually being used in the wild, I added a function blacklist. If you are able to bypass a harmless function that is not allowed, make sure to report it anyway!

I compared your blacklist agains my old list of "potential vulnerable functions". here is the output. although not all of them need to be blocked neccessarely it might be useful.

dl
header
include
include_once
require
require_once
virtual
dio_read
error_log
finfo_open
fpassthru
fread
fscanf
glob
readdir
stat
preg_replace
tmpfile
mysql_pconnect
ora_exec
ora_logon
curl_exec
curl_multi_exec
session_start
setcookie
socket_accept
socket_bind
socket_create
socket_listen
socket_send
stream_socket_server

Because this is meant to be a white list PHP project why not remove the blacklists and only allow a whitelist of php functions?

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

it only allows a whitelist of PHP functions, but it also allows custom functions with any name, so these specific names are blocked in case anyone ever defeats the filter, as a "just in case" damage minimizer

And thanks, Reiner, I'll add those!

Custom HTTP headers is dangerous!

<?php
header('x');
?>

Here's a link on backticks:-
http://uk.php.net/manual/en/language.operators.execution.php

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

What's the danger of allowing custom HTTP headers?

edit: yet another update. I loosened up the rules for (, you can now use it after mathematical characters (+-/*)



Edited 1 time(s). Last edit at 08/14/2008 09:17AM by Kyo.

1. Redirection
2. Cross domain storage and request.
3. Setting cookies
4. Other attacks based on HTTP header assumption.

The list could go on

http://www.w3.org/TR/access-control/#access-control0

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 08/14/2008 09:18AM by Gareth Heyes.

Oh those are all true, but they don't affect PHP. In the version offered for download, the function (amongst others like setcookie) will be blocked, but I like testing it under the worst possible conditions.

So while you're right, it's not the right kind of concern right now. Thanks, though.

I also updated it, it now allows mathematical operators and = in front of (, source is in the post up there

edit: OK, I added OOP!



Edited 1 time(s). Last edit at 08/14/2008 12:40PM by Kyo.

I was thinking in memory allocation or off-by-one exploits.
For example:

<?php
/*PHP 4 < 4.4.5 and PHP 5 < 5.2.1*/
str_replace("A", str_repeat("B", 65535), str_repeat("A", 65538));
?>



Edited 1 time(s). Last edit at 08/18/2008 01:18AM by C1c4Tr1Z.

Now _THAT'S_ clever. I love it.

Thanks, I'll unwhitelist str_repeat

edit: done! I also added some stuff that is now allowed in front of ( (for if clauses, mostly, stuff like == and || )
and I stopped the path exposure problem

edit: yet another update

I added the function cpreg_replace which filters out null bytes (prematurely terminating the string trying to bypass my filters) and filters out unwanted modifiers (e)

Please tell me if you find a flaw in that function



Edited 2 time(s). Last edit at 08/19/2008 02:13PM by Kyo.

Here are three functions that might like you:

realpath()
stream_set_write_buffer()
is_writable() && is_readable()

---------------------------------------------------------------------------------
[[url=http://voodoo-labs.org]Voodoo Research Group[/url]]
[[url=http://foro.undersecurity.net/]US.net forum[/url]]

You mean for allowing file actions? I certainly won't allow these unless extremely castrated (being able to choose a file id between 1 - 10?), so none of these are really helpful except the middle one

thanks, though.

Here, realpath() and other functions appears in this advisory of Hardened-PHP:

http://www.hardened-php.net/advisory_012004.42.html

---------------------------------------------------------------------------------
[[url=http://voodoo-labs.org]Voodoo Research Group[/url]]
[[url=http://foro.undersecurity.net/]US.net forum[/url]]

cool stuff. I'm gonna fix the whitelist. Thanks for your input

<?php $strpos="readfile"; ${strpos}("phpwhitelist.php") ?>

nice one !

Nice one indeed. I'm gonna get to fixing that

edit: ok, now only a whitelist of characters is allowed in front of (



Edited 1 time(s). Last edit at 08/22/2008 06:59AM by Kyo.